View Javadoc
1   package info.ejava.examples.secureping.ejb;
2   
3   import javax.annotation.PostConstruct;
4   import javax.annotation.Resource;
5   import javax.annotation.security.DenyAll;
6   import javax.annotation.security.PermitAll;
7   import javax.annotation.security.RolesAllowed;
8   import javax.ejb.SessionContext;
9   import javax.ejb.Stateless;
10  
11  import org.slf4j.Logger;
12  import org.slf4j.LoggerFactory;
13  
14  /**
15   * This session bean provides several methods; each of which will require
16   * some type of role associated with the user in order to successfully 
17   * invoke them.
18   */
19  @Stateless(name="SecurePingEJB")
20  public class SecurePingEJB 
21      implements SecurePingRemote, SecurePingLocal {
22      private static final Logger logger = LoggerFactory.getLogger(SecurePingEJB.class);
23      
24      @Resource
25      SessionContext ctx;
26      
27      @PostConstruct
28      public void init() {
29          logger.debug("*** SecurePingEJB initializing ***");    
30      }
31      
32      /**
33       * This method creates a status string based on security information
34       * obtained from the SessionContext.
35       */
36      private String getInfo(String prefix) {
37          StringBuilder text = new StringBuilder();
38          text.append("called " + prefix);
39          try {
40              text.append(", principal=" + ctx.getCallerPrincipal().getName());
41              text.append(", isUser=" + ctx.isCallerInRole("user"));
42              text.append(", isAdmin=" + ctx.isCallerInRole("admin"));
43              text.append(", isInternalRole=" + 
44                      ctx.isCallerInRole("internalRole"));
45          }
46          catch (Throwable ex) {
47              logger.debug("error calling session context:", ex);
48              text.append(", error calling Session Context:" + ex);
49          }
50          String result = text.toString();
51          logger.debug(result);
52          return result;        
53      }
54  
55      /**
56       * This method is permitted to be called by anyone.
57       */
58      @PermitAll
59      public String pingAll() {
60          return getInfo("pingAll");
61      }
62  
63      /**
64       * Callers of this method must have the "user" role.
65       */
66      @RolesAllowed({"user"})
67      public String pingUser() {
68          return getInfo("pingUser");
69      }
70  
71      /**
72       * Callers of this method must have the "admin" role.
73       */
74      @RolesAllowed({"admin"})
75      public String pingAdmin() {        
76          return getInfo("pingAdmin");
77      }
78  
79      /**
80       * No one should be allowed to call this method.
81       */
82      @DenyAll
83      public String pingExcluded() {
84          return getInfo("pingExcluded");
85      }
86      
87      /**
88       * This method allows the RMI Test to check whether the current subject
89       * has a specific role. This type of method would normally be used 
90       * within an EJB to perform object-level access control.
91       */
92      @PermitAll
93      public boolean isCallerInRole(String role) {
94          boolean result = ctx.isCallerInRole(role);
95          logger.debug("user=" + ctx.getCallerPrincipal().getName() + 
96                  ", isCallerInRole(" + role + ")=" + result);  
97          return result;
98      }
99      
100     @PermitAll
101     public String getPrincipal() {
102         String name= ctx.getCallerPrincipal().getName();
103         logger.debug("getPrincipal(), name=" + name);
104     	return name;
105     }
106 }