This page shows the correct usage of the security related annotations:
- javax.annotation.security.RolesAllowed
- javax.annotation.security.PermitAll
- javax.annotation.security.DenyAll
- javax.annotation.security.RunAs
- javax.annotation.security.DeclareRoles
Basic idea
- By default all methods of a business interface are accessible, logged in or not
- The annotations go on the bean class, not the business interface
- Security annotations can be applied to entire class and/or individual methods
- The names of any security roles used must be declared via @DeclaredRoles
Restricting a Method
Restrict the 'svnCommit' method to only individuals logged in and part of the "committer" role. Note that more than one role can be listed.
@Stateless @DeclareRoles({"committer"}) public class OpenSourceProjectBean implements Project { @RolesAllowed({"committer"}) public String svnCommit(String s) { return s; } }
DeclaredRoles
You need to update the @DeclaredRoles when referencing more roles in your annotations.
@Stateless @DeclareRoles({"committer", "contributor"}) public class OpenSourceProjectBean implements Project { @RolesAllowed({"committer"}) public String svnCommit(String s) { return s; } @RolesAllowed({"contributor"}) public String submitPatch(String s) { return s; } }
Restricting all methods in a class
@Stateless @DeclareRoles({"committer", "contributor"}) public class OpenSourceProjectBean implements Project { @RolesAllowed({"committer"}) public String svnCommit(String s) { return s; } @RolesAllowed({"contributor"}) public String submitPatch(String s) { return s; } }
Example
Business Interface
public static interface Project { public String svnCommit(String s); public String submitPatch(String s); public String svnCheckout(String s); public String deleteProject(String s); public boolean isCallerInRole(String s); }
@Stateless @DeclareRoles({"committer", "contributor","community"}) public class FooBean implements Project { @Resource private SessionContext context; @RolesAllowed({"committer"}) public String svnCommit(String s) { return s; } @RolesAllowed({"committer", "contributor"}) public String submitPatch(String s) { return s; } @PermitAll public String svnCheckout(String s) { return s; } @DenyAll public String deleteProject(String s) { return s; } public boolean isCallerInRole(String role){ return context.isCallerInRole(role); } }
@Stateless @RunAs("contributor") @DeclareRoles({"committer", "contributor","community"}) public class BarBean implements Project { @Resource private SessionContext context; @RolesAllowed({"committer"}) public String svnCommit(String s) { return s; } @RolesAllowed({"committer", "contributor"}) public String submitPatch(String s) { return s; } @PermitAll public String svnCheckout(String s) { return s; } @DenyAll public String deleteProject(String s) { return s; } @PermitAll public boolean isCallerInRole(String role){ return context.isCallerInRole(role); } }