View Javadoc
1   package info.ejava.examples.secureping.ejb;
2   
3   import javax.annotation.PostConstruct;
4   import javax.annotation.Resource;
5   import javax.annotation.security.DenyAll;
6   import javax.annotation.security.PermitAll;
7   import javax.annotation.security.RolesAllowed;
8   import javax.ejb.SessionContext;
9   import javax.ejb.Stateless;
10  
11  import org.slf4j.Logger;
12  import org.slf4j.LoggerFactory;
13  
14  /**
15   * This session bean provides several methods; each of which will require
16   * some type of role associated with the user in order to successfully 
17   * invoke them.
18   */
19  @Stateless(name="SecurePingEJB")
20  public class SecurePingEJB 
21      implements SecurePingRemote, SecurePingLocal {
22      private static final Logger logger = LoggerFactory.getLogger(SecurePingEJB.class);
23      
24      @Resource
25      SessionContext ctx;
26      
27      @PostConstruct
28      public void init() {
29          logger.debug("*** SecurePingEJB initializing ***");    
30      }
31      
32      /**
33       * This method creates a status string based on security information
34       * obtained from the SessionContext.
35       */
36      private String getInfo(String prefix) {
37          StringBuilder text = new StringBuilder();
38          text.append("called " + prefix);
39          try {
40              text.append(", principal=" + ctx.getCallerPrincipal().getName());
41              text.append(", isUser=" + ctx.isCallerInRole("user"));
42              text.append(", isAdmin=" + ctx.isCallerInRole("admin"));
43              text.append(", isInternalRole=" + 
44                      ctx.isCallerInRole("internalRole"));
45          }
46          catch (Throwable ex) {
47              logger.debug("error calling session context:", ex);
48              text.append(", error calling Session Context:" + ex);
49          }
50          String result = text.toString();
51          logger.debug(result);
52          return result;        
53      }
54  
55      /**
56       * This method is permitted to be called by anyone.
57       */
58      @PermitAll
59      public String pingAll() {
60          return getInfo("pingAll");
61      }
62  
63      /**
64       * Callers of this method must have the "user" role.
65       */
66      @RolesAllowed({"user"})
67      public String pingUser() {
68          return getInfo("pingUser");
69      }
70  
71      /**
72       * Callers of this method must have the "admin" role.
73       */
74      @RolesAllowed({"admin"})
75      public String pingAdmin() {        
76          return getInfo("pingAdmin");
77      }
78  
79      /**
80       * No one should be allowed to call this method.
81       */
82      @DenyAll
83      public String pingExcluded() {
84          return getInfo("pingExcluded");
85      }
86      
87      /**
88       * This method allows the RMI Test to check whether the current subject
89       * has a specific role. This type of method would normally be used 
90       * within an EJB to perform object-level access control.
91       */
92      @PermitAll
93      public boolean isCallerInRole(String role) {
94          boolean result = ctx.isCallerInRole(role);
95          logger.debug("user={}, isCallerInRole({})={}", ctx.getCallerPrincipal().getName(), role, result);  
96          return result;
97      }
98      
99      @PermitAll
100     public String whoAmI() {
101         String name= ctx.getCallerPrincipal().getName();
102         logger.debug("whoAmI()={}", name);
103         return name;
104     }
105 }