You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

This page shows the correct usage of the security related annotations:

  • javax.annotation.security.RolesAllowed
  • javax.annotation.security.PermitAll
  • javax.annotation.security.DenyAll
  • javax.annotation.security.RunAs
  • javax.annotation.security.DeclareRoles

Basic idea

  • By default all methods of a business interface are accessible, logged in or not
  • The annotations go on the bean class, not the business interface
  • Security annotations can be applied to entire class and/or individual methods
  • The names of any security roles used must be declared via @DeclaredRoles

Restricting a Method

Restrict the 'svnCommit' method to only individuals logged in and part of the "committer" role. Note that more than one role can be listed.

@Stateless
@DeclareRoles({"committer"})
public class OpenSourceProjectBean implements Project {

    @RolesAllowed({"committer"})
    public String svnCommit(String s) {
        return s;
    }
}

DeclaredRoles

You need to update the @DeclaredRoles when referencing more roles in your annotations.

@Stateless
@DeclareRoles({"committer", "contributor"})
public class OpenSourceProjectBean implements Project {

    @RolesAllowed({"committer"})
    public String svnCommit(String s) {
        return s;
    }

    @RolesAllowed({"contributor"})
    public String submitPatch(String s) {
        return s;
    }
}

Restricting all methods in a class

Allow only logged in users in the "committer" role to invoke 'svnCommit', 'svnCheckout' and 'submitPatch'.

@Stateless
@DeclareRoles({"committer"})
@RolesAllowed({"committer"})
public class OpenSourceProjectBean implements Project {

    public String svnCommit(String s) {
        return s;
    }

    public String svnCheckout(String s) {
        return s;
    }

    public String submitPatch(String s) {
        return s;
    }
}

Mixing class and method level restrictions

Allow only logged in users in the "committer" role to invoke 'svnCommit', 'svnCheckout'

Allow only logged in users in the "contributor" role to invoke 'submitPatch'. These rules do not stack, so marking this method overrides the default of "committers".

@Stateless
@DeclareRoles({"committer", "contributor"})
@RolesAllowed({"committer"})
public class OpenSourceProjectBean implements Project {

    public String svnCommit(String s) {
        return s;
    }

    public String svnCheckout(String s) {
        return s;
    }

    @RolesAllowed({"contributor"})
    public String submitPatch(String s) {
        return s;
    }
}

PermitAll

Allow only logged in users in the "committer" role to invoke 'svnCommit'.

Allow only logged in users in the "contributor" role to invoke 'submitPatch'.

Allow anyone logged in or not to invoke 'svnCheckout'.

@Stateless
@DeclareRoles({"committer", "contributor"})
@RolesAllowed({"committer"})
public class OpenSourceProjectBean implements Project {

    public String svnCommit(String s) {
        return s;
    }

    @PermitAll
    public String svnCheckout(String s) {
        return s;
    }

    @RolesAllowed({"contributor"})
    public String submitPatch(String s) {
        return s;
    }
}

Example

Business Interface
public static interface Project {

    public String svnCommit(String s);
    public String submitPatch(String s);
    public String svnCheckout(String s);
    public String deleteProject(String s);
    public boolean isCallerInRole(String s);
}

@Stateless
@DeclareRoles({"committer", "contributor","community"})
public class FooBean implements Project {

    @Resource
    private SessionContext context;

    @RolesAllowed({"committer"})
    public String svnCommit(String s) {
        return s;
    }

    @RolesAllowed({"committer", "contributor"})
    public String submitPatch(String s) {
        return s;
    }

    @PermitAll
    public String svnCheckout(String s) {
        return s;
    }

    @DenyAll
    public String deleteProject(String s) {
        return s;
    }

    public boolean isCallerInRole(String role){
        return context.isCallerInRole(role);
    }
}

@Stateless
@RunAs("contributor")
@DeclareRoles({"committer", "contributor","community"})
public class BarBean implements Project {

    @Resource
    private SessionContext context;

    @RolesAllowed({"committer"})
    public String svnCommit(String s) {
        return s;
    }

    @RolesAllowed({"committer", "contributor"})
    public String submitPatch(String s) {
        return s;
    }

    @PermitAll
    public String svnCheckout(String s) {
        return s;
    }

    @DenyAll
    public String deleteProject(String s) {
        return s;
    }

    @PermitAll
    public boolean isCallerInRole(String role){
        return context.isCallerInRole(role);
    }
}
  • No labels