Enterprise Java Development@TOPIC@
EJB access restrictions
Declarative
Programmatic
EJB assignment to Security Domain
Server definition of Security Domain
Server Security Domain authentication and authorization
Figure 112.1. Declarative EJB Access Control: Annotations
@Stateless(name="SecurePingEJB")
public class SecurePingEJB implements SecurePingRemote, SecurePingLocal {
...
@PermitAll
public String pingAll() {
return getInfo("pingAll");
}
@RolesAllowed({"user"})
public String pingUser() {
return getInfo("pingUser");
}
@RolesAllowed({"admin"})
public String pingAdmin() {
return getInfo("pingAdmin");
}
@DenyAll
public String pingExcluded() {
return getInfo("pingExcluded");
}
}
javax.annotation.security annotations define caller role requirements to access EJB methods
role can be literal or a logical mapping (see Role Mapping below)
Figure 112.2. Declarative EJB Access Control: ejb-jar.xml
<assembly-descriptor>
...
<method-permission>
<unchecked/>
<method>
<ejb-name>SecurePingEJB</ejb-name>
<method-name>pingAllmethod-name>
</method>
</method-permission>
<method-permission>
<role-name>admin</role-name>
<method>
<ejb-name>SecurePingEJB</ejb-name>
<method-name>pingAdmin</method-name>
</method>
</method-permission>
<method-permission>
<role-name>user</role-name>
<method>
<ejb-name>SecurePingEJB</ejb-name>
<method-name>pingUser</method-name>
</method>
</method-permission>
<method-permission>
<excluded/>
<method>
<ejb-name>SecurePingEJB</ejb-name>
<method-name>pingExcluded</method-name>
</method>
</method-permission>
</assembly-descriptor>
Access restrictions can also be defined in the ejb-jar.xml deployment descriptor
Figure 112.3. Programmatic Role Check
@Resource
SessionContext ctx;
if (!ctx.isCallerInRole(role)) {
throw new EJBAccessException("...");
}
Permits method to determine when access should be checked
Figure 112.4. Programmatic Property Check
@Resource
SessionContext ctx;
@RolesAllowed({"admin"})
public String updateGreeting(String greeting) {
String login = ctx.getCallerPrincipal().getName();
Office office = getOfficeByAdmin(login);
if (office!=null) {
office.setGreeting(greeting);
}
Permits more fine-grain access control down to the object level
Caller is not only required to have "admin" role -- they must be admin of specific resource
Permits role-name within Java code to be mapped to security role
No annotation for this. Must use descriptor or update referenced roles
<enterprise-beans>
<session>
<ejb-name>SecurePingEJB</ejb-name>
<security-role-ref>
<description>role-name checked within EJB</description>
<role-name>internalRole</role-name>
<role-link>admin</role-link>
</security-role-ref>
</session>
</enterprise-beans>
<assembly-descriptor>
<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<role-name>user</role-name>
</security-role>
</assembly-descriptor>
<?xml version="1.0"?>
<jboss:ejb-jar
xmlns:jboss="http://www.jboss.com/xml/ns/javaee"
xmlns:sec="urn:security"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd
http://java.sun.com/xml/ns/javaee http://www.jboss.org/j2ee/schema/jboss-ejb3-spec-2_0.xsd
urn:security urn:security"
version="3.1"
impl-version="2.0">
<assembly-descriptor>
<sec:security>
<ejb-name>*</ejb-name>
<sec:security-domain>other</sec:security-domain>
<sec:run-as-principal/>
</sec:security>
</assembly-descriptor>
</jboss:ejb-jar>
security element assigns security properties to one or more EJBs
security-domain assigns to a specific security-domain defined on server
"other" is default security-domain
run-as-principal defines the identity to authenticate and execute the EJB calls with
run-as-principal is default - call is authorized based on the caller's identity