You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

This page shows the correct usage of the security related annotations:

  • javax.annotation.security.RolesAllowed
  • javax.annotation.security.PermitAll
  • javax.annotation.security.DenyAll
  • javax.annotation.security.RunAs
  • javax.annotation.security.DeclareRoles

Basic idea

  • By default all methods of a business interface are accessible, logged in or not
  • The annotations go on the bean class, not the business interface
  • Security annotations can be applied to entire class and/or individual methods
  • The names of any security roles used must be declared via @DeclaredRoles

Restricting a Method

Restrict the 'svnCommit' method to only individuals logged in and part of the "committer" role. Note that more than one role can be listed.

@Stateless
@DeclareRoles({"committer"})
public class OpenSourceProjectBean implements Project {

    @RolesAllowed({"committer"})
    public String svnCommit(String s) {
        return s;
    }
}

DeclaredRoles

You need to update the @DeclaredRoles when referencing more roles in your annotations.

@Stateless
@DeclareRoles({"committer", "contributor"})
public class OpenSourceProjectBean implements Project {

    @RolesAllowed({"committer"})
    public String svnCommit(String s) {
        return s;
    }

    @RolesAllowed({"contributor"})
    public String submitPatch(String s) {
        return s;
    }
}

Restricting all methods in a class

@Stateless
@DeclareRoles({"committer", "contributor"})
public class OpenSourceProjectBean implements Project {

    @RolesAllowed({"committer"})
    public String svnCommit(String s) {
        return s;
    }

    @RolesAllowed({"contributor"})
    public String submitPatch(String s) {
        return s;
    }
}

Example

Business Interface
public static interface Project {

    public String svnCommit(String s);
    public String submitPatch(String s);
    public String svnCheckout(String s);
    public String deleteProject(String s);
    public boolean isCallerInRole(String s);
}

@Stateless
@DeclareRoles({"committer", "contributor","community"})
public class FooBean implements Project {

    @Resource
    private SessionContext context;

    @RolesAllowed({"committer"})
    public String svnCommit(String s) {
        return s;
    }

    @RolesAllowed({"committer", "contributor"})
    public String submitPatch(String s) {
        return s;
    }

    @PermitAll
    public String svnCheckout(String s) {
        return s;
    }

    @DenyAll
    public String deleteProject(String s) {
        return s;
    }

    public boolean isCallerInRole(String role){
        return context.isCallerInRole(role);
    }
}

@Stateless
@RunAs("contributor")
@DeclareRoles({"committer", "contributor","community"})
public class BarBean implements Project {

    @Resource
    private SessionContext context;

    @RolesAllowed({"committer"})
    public String svnCommit(String s) {
        return s;
    }

    @RolesAllowed({"committer", "contributor"})
    public String submitPatch(String s) {
        return s;
    }

    @PermitAll
    public String svnCheckout(String s) {
        return s;
    }

    @DenyAll
    public String deleteProject(String s) {
        return s;
    }

    @PermitAll
    public boolean isCallerInRole(String role){
        return context.isCallerInRole(role);
    }
}
  • No labels