EJB‎ > ‎

EJB Security

EJB Container Provided Security

Note that only session beans can be secured with Java EE security services.

Define roles within the system:

public interface Roles {
    String ADMIN = "Administrator";
    String USER = "User";
}

@Stateless
@DeclareRoles({Roles.ADMIN, Roles.USER})
@RolesAllowed({})
public class MyClass implements MyClassLocal {
    private void methodThatNobodyCanCall() {...}
    @RolesAllowed({Roles.ADMIN})
    public void methodThatAdminsCanCall() {...}
}

following notation will allow all users, including unauthenticated anonymous users, to access its following class/method

@PermitAll

If the user does not have appropriate permissions a javax.ejb.EJBAccessException will be raised.

Get username of session invoker

@Resource
private SessionContext context;
final String callerName = context.getCallerPrincipal().getName();


Impersonate (run as another user)

@RunAs(Roles.ADMIN)
@PermitAll
public class OpenClass implements OpenClassLocal, OpenClassRemote {...}





Comments