- Open the EJB application file.
This file can be an EJB .jar file
or an application .ear file that contains one or more EJB modules.
To open the EJB application file click File > Open and browse.
Select the EJB application file.
- Create security roles.
You can create security roles
at the application level or at the EJB module level. If you create a security
role at the EJB module level, the role displays in the application level.
If a security role is created at the application level, the role does not
appear in all the EJB modules. You can copy and paste one or more EJB module
security roles that you create at application level:
- Create a role at application level by right-clicking Security
Roles under the application folder. Click New. Type the role name.
If the role created for the application is required for an EJB module, select
that role from the application, copy it and right-click the EJB module Security
Roles. Click Paste.
- To create a role at an EJB module level, open the corresponding
EJB module folder. Right-click Security Roles under the EJB module
and click New. Type the role name.
- Create method permissions.
Method permissions is a mapping
of one or more methods to a set of roles. An enterprise bean has four types
of methods: Home methods, Remote methods, LocalHome methods and Local methods.
- To create a new method permission in an EJB module, open the
EJB module folder. Right-click MethodPermissions and click New.
A new panel displays.
- Type the method permission name and description.
- Add methods by clicking Add under Methods. Browse and
select the required methods. An asterisk (*) indicates all methods.
- Add the required roles for the methods by clicking Add under
Roles. Browse and click the required roles. If a set of methods needs to be
unprotected, select the check box. Click OK when done.
- Exclude user access to methods.
Users cannot access
excluded methods. Any method in the enterprise beans that is not assigned
to a role or is not excluded, is deselected during the application installation
by the deployer.
- Exclude one or more methods by right-clicking Exclude List under
the EJB module folder. Click New. A new panel displays.
- Type the description explaining why these methods are excluded.
- Add methods to exclude by clicking Add. Browse and click
the methods to exclude. Click OK when done.
- Map security-role-ref and role-name to role-link.
During
the development of enterprise beans, you can create the security-role-ref
element using development tools such as WebSphere Studio Application Developer.
The security-role-ref element contains only the role-name field. The role-name
field determines if the caller is in a specified role(isCallerInRole()) and
contains the name of the role that is referenced in the code. Since you create
security roles during the assembly stage, the developer uses a logical
rolename in the role-name field and provides enough information in the
description field for the assembler to map the actual role (role-link). The
security-role-ref element is located at the EJB level. Enterprise beans can
have zero or more security-role-ref elements.
- Open the required EJB folder and click Security Role References to
map role-name to role-link for a security-role-ref element.
- Click each role-name on the right navigation panel and
click the role that you intend to map to that role-name by selecting a role
from the list of the link.
- Right-click Security Role References and click New if
you did not create the security-role-ref element during development. A new
panel displays.
- You can enter the role-name in the Name field and the
role-link in the Link field by selecting a proper role from the list.
You can also add a proper description in the Description field.
- Map every role-name used during development to the role (role-link)
using the previous steps.
- Specify the RunAs Identity for enterprise beans components.
The RunAs Identity of the enterprise bean is used to invoke the next
enterprise beans in the chain of EJB invocations. When the next enterprise
beans are invoked, the RunAsIdentity passes to the next enterprise
beans for performing an authorization check on the next enterprise bean. If
the RunAs Identity is not specified, the client identity is propagated to
the next enterprise bean. The RunAs Identity can represent each of the enterprise
beans or can represent each method in the enterprise beans.
- Set the RunAs Identity for the enterprise bean component, by
clicking the enterprise beans. Click the security tab in the right
navigation panel.
- Select the Security Identity check box.
- Click Run-As mode from the list.
- Click the role name from the list, if UseSpecifiedId is
selected. Click Apply when done.
- Set the RunAs Identity at the method level by opening the EJB
folder. Click Method Extensions.
- Select the Advanced tab in the right navigation panel.
- Select the required methods from the top of the panel and select
the Security Identity check box. Click Run-As Mode. Selecting System
Identity implies that the invocation is done using the WebSphere Application
Server security server ID. Use this ID with caution because this ID has more
privileges.
- Click the Role Name from the list, if the specified identity
is selected.