THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
This page shows the correct usage of the security related annotations:
- javax.annotation.security.RolesAllowed
- javax.annotation.security.PermitAll
- javax.annotation.security.DenyAll
- javax.annotation.security.RunAs
- javax.annotation.security.DeclareRoles
Basic idea
- By default all methods of a business interface are accessible, logged in or not
- The annotations go on the bean class, not the business interface
- Security annotations can be applied to entire class and/or individual methods
- The names of any security roles used must be declared via
...
- @DeclareRoles
No restrictions
Allow anyone logged in or not to invoke 'svnCommitsvnCheckout'.
These three examples are all equivalent.
...
| Code Block |
|---|
@Stateless
public class OpenSourceProjectBean implements Project {
@PermitAll
public String svnCheckout(String s) {
return s;
}
}
|
- Allow anyone logged in or not to invoke 'svnCheckout'.
Restricting a Method
Restrict the 'svnCommit' method to only individuals logged in and part of the "committer" role. Note that more than one role can be listed.
| Code Block |
|---|
@Stateless
@DeclareRoles({"committer"})
public class OpenSourceProjectBean implements Project {
@RolesAllowed({"committer"})
public String svnCommit(String s) {
return s;
}
public String svnCheckout(String s) {
return s;
}
}
- |
- Allow
...
- only
...
- logged
...
- in
...
- users
...
- in
...
- the
...
- "committer"
...
- role
...
- to
...
- invoke
...
- 'svnCommit'.
...
- Allow
...
- anyone
...
- logged
...
- in
...
- or
...
- not
...
- to
...
- invoke
...
- 'svnCheckout'.
...
...
DeclareRoles
You need to update the @DeclaredRoles @DeclareRoles when referencing more roles in your annotationsroles via isCallerInRole(roleName).
| Code Block |
|---|
@Stateless
@DeclareRoles({"committer", "contributor"})
public class OpenSourceProjectBean implements Project {
@Resource SessionContext ctx;
@RolesAllowed({"committer"})
public String svnCommit(String s) {
ctx.isCallerInRole("committer"); // Referencing a Role
return s;
}
@RolesAllowed({"contributor"})
public String submitPatch(String s) {
return s;
}
}
|
...
| Code Block |
|---|
@Stateless
@DeclareRoles({"committer"})
@RolesAllowed({"committer"})
public class OpenSourceProjectBean implements Project {
public String svnCommit(String s) {
return s;
}
public String svnCheckout(String s) {
return s;
}
public String submitPatch(String s) {
return s;
}
}
|
- Allow only logged in users in the "committer" role to invoke 'svnCommit', 'svnCheckout' or 'submitPatch'.
Mixing class and method level restrictions
...
| Code Block |
|---|
@Stateless
@DeclareRoles({"committer", "contributor"})
@RolesAllowed({"committer"})
public class OpenSourceProjectBean implements Project {
public String svnCommit(String s) {
return s;
}
public String svnCheckout(String s) {
return s;
}
@RolesAllowed({"contributor"})
public String submitPatch(String s) {
return s;
}
}
|
- Allow only logged in users in the "committer" role to invoke 'svnCommit' or 'svnCheckout'
- Allow only logged in users in the "contributor" role to invoke 'submitPatch'.
PermitAll
When annotating a bean class with @RolesAllowed, the @PermitAll annotation becomes very useful on individual methods to open them back up again.
| Code Block |
|---|
@Stateless
@DeclareRoles({"committer", "contributor"})
@RolesAllowed({"committer"})
public class OpenSourceProjectBean implements Project {
public String svnCommit(String s) {
return s;
}
@PermitAll
public String svnCheckout(String s) {
return s;
}
@RolesAllowed({"contributor"})
public String submitPatch(String s) {
return s;
}
}
|
- Allow only logged in users in the "committer" role to invoke 'svnCommit'.
- Allow only logged in users in the "contributor" role to invoke 'submitPatch'.
- Allow anyone logged in or not to invoke 'svnCheckout'.
DenyAll
The @DenyAll annotation can be used to restrict business interface access from anyone, logged in or not. The method is still invokable from within the bean class itself.
| Code Block |
|---|
@Stateless
@DeclareRoles({"committer", "contributor"})
@RolesAllowed({"committer"})
public class OpenSourceProjectBean implements Project {
public String svnCommit(String s) {
return s;
}
@PermitAll
public String svnCheckout(String s) {
return s;
}
@RolesAllowed({"contributor"})
public String submitPatch(String s) {
return s;
}
@DenyAll
public String deleteProject(String s) {
return s;
}
}
|
- Allow only logged in users in the "committer" role to invoke 'svnCommit'.
- Allow only logged in users in the "contributor" role to invoke 'submitPatch'.
- Allow anyone logged in or not to invoke 'svnCheckout'.
- Allow no one logged in or not to invoke 'deleteProject'.
Illegal Usage
Generally, security restrictions cannot be made on AroundInvoke methods and most callbacks.
The following usages of @RolesAllowed have no effect.
| Code Block |
|---|
@Stateful
@DecalredRoles({"committer"})
public class MyStatefulBean implements MyBusinessInterface {
@PostConstruct
@RolesAllowed({"committer"})
public void constructed(){
}
@PreDestroy
@RolesAllowed({"committer"})
public void destroy(){
}
@AroundInvoke
@RolesAllowed({"committer"})
public Object invoke(InvocationContext invocationContext) throws Exception {
return invocationContext.proceed();
}
@PostActivate
@RolesAllowed({"committer"})
public void activated(){
}
@PrePassivate
@RolesAllowed({"committer"})
public void passivate(){
}
}
|