Home > Articles > Programming > Java

EJB Security

  • Print
  • + Share This
Like this article? We recommend

Like this article? We recommend

Standard Declarative EJB Access Controls

Standard declarative EJB access-control mechanisms are defined as XML elements in a standard EJB deployment descriptor file. In addition to the <role-name> element, a <role-link> element may also be defined within an EJB's <security-role-ref> element. This element value is defined during EJB assembly to reference a role name specified by an individual (that is, the EJB assembler) cognizant of the security roles assumed by a particular deployment environment. Thus, an EJB assembler might modify the standard ejb-jar.xml file to map a programmatic role name identified by the <role-name> element to an assembly-specific role name identified by a <role-link> element.

As an example, our OrderManager deployment descriptor may be modified to incorporate an assembly-specific <role-link> element as follows:

<?xml version="1.0" encoding="UTF-8"?>
 ...
<ejb-jar>
  ...
 <enterprise-beans>
  <session>
    ...   
    <!-- Identifies a security role reference for this EJB.--> 
   <security-role-ref>

    <!-- Describes this security role. -->
    <description> Bean references admin role. </description>

    <!-- Identifies a logical role name that this EJB uses. -->
    <role-name>admin</role-name>

    <!-- Identifies a role to map to during assembly. -->
    <role-link>Administrator</role-link>

   </security-role-ref>
   
  </session>
  
 </enterprise-beans>
</ejb-jar>

The <role-link> element must refer to a <role-name> defined within a special <security-role> element defined by an EJB assembler in the standard ejb-jar.xml file. All logical security roles defined for a particular EJB module are identified by <security-role> elements that sit within an <assembly-descriptor> element, which is defined within the root <ejb-jar> element for an EJB module.

As an example, an EJB assembler would define a <security-role> element for the Administrator role linked by our OrderManager bean, as well as a RegisteredCustomer and UnregisteredCustomer role, as follows:

<?xml version="1.0" encoding="UTF-8"?>
 ...
<ejb-jar>
  ...
 <enterprise-beans>
  ...
 </enterprise-beans>

 <assembly-descriptor>
  <!-- Identifies those security roles defined for an EJB module.-->
  <security-role>
   <!-- Describes a security role. -->
   <description> Administrator role for bean. </description>
   <!-- Identifies a logical role name that this EJB module uses. -->
   <role-name>Administrator</role-name>
  </security-role>

  <!-- Identifies those security roles defined for an EJB module.-->
  <security-role>
   <!-- Describes a security role. -->
   <description> Registered customer role for bean. </description>
   <!-- Identifies a logical role name that this EJB module uses. -->
   <role-name>RegisteredCustomer</role-name>
  </security-role>

  <!-- Identifies those security roles defined for an EJB module.-->
  <security-role>
   <!-- Describes a security role. -->
   <description> Unregistered customer role for bean. </description>
   <!-- Identifies a logical role name that this EJB module uses. -->
   <role-name>UnregisteredCustomer</role-name>
  </security-role>
    ...
 </assembly-descriptor>

</ejb-jar>

Special deployment descriptor elements can also be defined to dictate security roles that can access particular methods on an EJB. Zero or more <method-permission> elements defined within an <assembly-descriptor> element are used to provide such role-to-method access-control mappings. A <method-permission> element can contain a <description> element, one or more <role-name> elements, and one or more <method> elements. The <role-name> elements simply contain role name values that have been defined in a <role-name> element contained by the <security-role> elements defined previously. The <method> element identifies particular EJB method(s) for which this access-control specification applies. A <method> element can contain the following elements:

  • <description>—The <description> element can optionally be used to describe the EJB method access-control mapping.

  • <ejb-name>—The <ejb-name> element identifies the EJB reference name to which this specification applies.

  • <method-intf>—The <method-intf> element optionally specifies whether the home or remote interface applies to this particular method specification. The values of Home and Remote are used. This element is useful when EJB home and remote interfaces have identical method names and you need to differentiate between the two types.

  • <method-name>—The <method-name> element identifies the EJB method(s) to which this mapping applies. A name may be used here to define a specific method name. Alternately, if an asterisk (*) is used, this particular mapping applies to all methods on the EJB.

  • <method-params>—The <method-params> element is used to specify fully qualified parameter types associated with an EJB method to which this mapping applies. The <method-params> element can contain zero or more <method-param> elements that are associated with fully qualified class type names. Providing the <method-params> element information uniquely identifies a particular EJB method according to its parameter types and overrides any generic specification either for a particular group of overloaded methods or for the whole EJB.

  • + Share This
  • 🔖 Save To Your Account