[CONF] OpenEJB: Security Annotations (page edited)

Tue, 11 Sep 2007 15:56:33 -0700

Page Edited : OPENEJB : Security Annotations

Security Annotations has been edited by David Blevins (Sep 11, 2007).

(View changes)

Content:

This page shows the correct usage of the security related annotations:

  • javax.annotation.security.RolesAllowed
  • javax.annotation.security.PermitAll
  • javax.annotation.security.DenyAll
  • javax.annotation.security.RunAs
  • javax.annotation.security.DeclareRoles

Basic idea

  • By default all methods of a business interface are accessible, logged in or not
  • The annotations go on the bean class, not the business interface
  • Security annotations can be applied to entire class and/or individual methods
  • The names of any security roles used must be declared via @DeclaredRoles

Restricting a Method

Restrict the 'svnCommit' method to only individuals logged in and part of the "committer" role. Note that more than one role can be listed.

@Stateless
@DeclareRoles({"committer"})
public class OpenSourceProjectBean implements Project {

    @RolesAllowed({"committer"})
    public String svnCommit(String s) {
        return s;
    }
}

DeclaredRoles

You need to update the @DeclaredRoles when referencing more roles in your annotations.

@Stateless
@DeclareRoles({"committer", "contributor"})
public class OpenSourceProjectBean implements Project {

    @RolesAllowed({"committer"})
    public String svnCommit(String s) {
        return s;
    }

    @RolesAllowed({"contributor"})
    public String submitPatch(String s) {
        return s;
    }
}

Restricting all methods in a class

Allow only logged in users in the "committer" role to invoke 'svnCommit', 'svnCheckout' and 'submitPatch'.

@Stateless
@DeclareRoles({"committer"})
@RolesAllowed({"committer"})
public class OpenSourceProjectBean implements Project {

    public String svnCommit(String s) {
        return s;
    }

    public String svnCheckout(String s) {
        return s;
    }

    public String submitPatch(String s) {
        return s;
    }
}

Mixing class and method level restrictions

Allow only logged in users in the "committer" role to invoke 'svnCommit', 'svnCheckout'

Allow only logged in users in the "contributor" role to invoke 'submitPatch'. These rules do not stack, so marking this method overrides the default of "committers".

@Stateless
@DeclareRoles({"committer", "contributor"})
@RolesAllowed({"committer"})
public class OpenSourceProjectBean implements Project {

    public String svnCommit(String s) {
        return s;
    }

    public String svnCheckout(String s) {
        return s;
    }

    @RolesAllowed({"contributor"})
    public String submitPatch(String s) {
        return s;
    }
}

PermitAll

Allow only logged in users in the "committer" role to invoke 'svnCommit'.

Allow only logged in users in the "contributor" role to invoke 'submitPatch'.

Allow anyone logged in or not to invoke 'svnCheckout'.

@Stateless
@DeclareRoles({"committer", "contributor"})
@RolesAllowed({"committer"})
public class OpenSourceProjectBean implements Project {

    public String svnCommit(String s) {
        return s;
    }

    @PermitAll
    public String svnCheckout(String s) {
        return s;
    }

    @RolesAllowed({"contributor"})
    public String submitPatch(String s) {
        return s;
    }
}

Example

Business Interface
public static interface Project {

    public String svnCommit(String s);
    public String submitPatch(String s);
    public String svnCheckout(String s);
    public String deleteProject(String s);
    public boolean isCallerInRole(String s);
}
@Stateless
@DeclareRoles({"committer", "contributor","community"})
public class FooBean implements Project {

    @Resource
    private SessionContext context;

    @RolesAllowed({"committer"})
    public String svnCommit(String s) {
        return s;
    }

    @RolesAllowed({"committer", "contributor"})
    public String submitPatch(String s) {
        return s;
    }

    @PermitAll
    public String svnCheckout(String s) {
        return s;
    }

    @DenyAll
    public String deleteProject(String s) {
        return s;
    }

    public boolean isCallerInRole(String role){
        return context.isCallerInRole(role);
    }
}
@Stateless
@RunAs("contributor")
@DeclareRoles({"committer", "contributor","community"})
public class BarBean implements Project {

    @Resource
    private SessionContext context;

    @RolesAllowed({"committer"})
    public String svnCommit(String s) {
        return s;
    }

    @RolesAllowed({"committer", "contributor"})
    public String submitPatch(String s) {
        return s;
    }

    @PermitAll
    public String svnCheckout(String s) {
        return s;
    }

    @DenyAll
    public String deleteProject(String s) {
        return s;
    }

    @PermitAll
    public boolean isCallerInRole(String role){
        return context.isCallerInRole(role);
    }
}

Powered by Atlassian Confluence (Version: 2.2.9 Build:#527 Sep 07, 2006) - Bug/feature request

Unsubscribe or edit your notifications preferences

Reply via email to