- Open the EJB application file. This file can be an EJB .jar file
or an application .ear file that contains one or more EJB modules.
In the Assembly Toolkit, open a deployment descriptor editor on the
EJB application file. In a J2EE Hierarchy view, right-click the file and click Open
With > Deployment Descriptor Editor.
If you selected
an EJB .jar file, an EJB deployment descriptor editor opens. If you
selected an application .ear file, an application deployment descriptor
editor opens. To see online information about the editor, press F1 and click
the editor name.
- Create security roles. You can create security roles at the application
level or at the EJB module level. If you create a security role at the EJB
module level, the role displays in the application level. If a security role
is created at the application level, the role does not appear in all the EJB
modules. You can copy and paste one or more EJB module security roles that
you create at application level:
- Create a role at an EJB module level. In an EJB deployment descriptor
editor, select the Assembly Descriptor tab. Under Security Roles,
click Add. In the Add Security Role wizard, name and describe the security
role; then click Finish.
- Create a role at the application level. In an application deployment
descriptor editor, select the Security tab. Under the list of security
roles, click Add. In the Add Security Role wizard, name and describe
the security role; then click Finish.
- Create method permissions. Method permissions map one or more methods
to a set of roles. An enterprise bean has four types of methods: Home methods,
Remote methods, LocalHome methods and Local methods.
You can add
permissions to enterprise beans on the method level. You cannot add a method
permission to an enterprise bean unless you already have one or more security
roles defined. For version 2.0 EJB projects, there is an unchecked
option that specifies that the selected methods from the selected beans do
not require authorization to execute. To add a method permission to an enterprise
bean:
- On the Assembly Descriptor tab of an EJB deployment descriptor
editor, under Method Permissions, click Add. The Add Method
Permission wizard opens.
- Select a security role from the list of roles found and click Next.
- Select one or more enterprise beans from the list of beans found.
You can click Select All or Deselect All to select or deselect
all of the enterprise beans in the list. Click Next.
- Select the methods that you want to bind to your security role.
The Method Elements page lists all methods associated with the enterprise
bean(s).
You can click Apply to All or Deselect All to
quickly select or clear multiple methods. It selects only the * method
for each bean. Creating a method permission for the exact method signature
overrides the default (*) method permission setting. The * method
represents all methods within the bean. There are * for each interface
as well. By not selecting all of the individual methods in the tree, you can
set other permissions on the remaining methods.
- Click Finish.
After the method permission is created, you can see the new method permission
in the tree. Expand the tree to see the bean and methods defined in the method
permission.
- Exclude user access to methods.
Users cannot access
excluded methods. Any method in the enterprise beans that is not assigned
to a role or is not excluded, is deselected during the application installation
by the deployer.
- On the Assembly Descriptor tab of an EJB deployment descriptor
editor, under Excludes List, click Add. The Exclude List wizard
opens.
- Select one or more enterprise beans from the list of beans found
and click Next.
- Select one or more of the method elements for the security identity
and click Finish.
- Map security-role-ref and role-name to role-link.
When
developing enterprise beans, you can create the security-role-ref element.
The security-role-ref element contains only the role-name field. The role-name
field determines if the caller is in a specified role(isCallerInRole()) and
contains the name of the role that is referenced in the code. Since you create
security roles during the assembly stage, the developer uses a logical
rolename in the role-name field and provides enough information
in the description field for the assembler to map the actual role (role-link).
The security-role-ref element is located at the EJB level. Enterprise beans
can have zero or more security-role-ref elements.
- On the References tab of an EJB deployment descriptor
editor, under the list of references, click Add. The Add Reference
wizard opens.
- Select Security role reference and click Next.
- Name the security role reference, select a security role to
link the reference to, describe the security role reference, and click Finish.
- Map every role-name used during development to the role (role-link)
using the previous steps.
- Specify the RunAs Identity for enterprise beans components.
The RunAs Identity of the enterprise bean is used to invoke the next
enterprise beans in the chain of EJB invocations. When the next enterprise
beans are invoked, the RunAsIdentity passes to the next enterprise
beans for performing an authorization check on the next enterprise bean. If
the RunAs Identity is not specified, the client identity is propagated to
the next enterprise bean. The RunAs Identity can represent each of the enterprise
beans or can represent each method in the enterprise beans.
- On the Access tab of an EJB deployment descriptor editor,
under Security Identity (Bean Level), click Add. The Add Security
Identity wizard opens.
- Select the run as mode, describe the security identity, and
click Next.
Select the Use identity of caller mode
to instruct the security service to make no changes to the principal's credential
settings.
Select the Use identity assigned to specific role
(below) mode to use a principal that has been assigned to the specified
security role for running of the bean's methods. This association is part
of the application binding in which the role is associated with a user ID
and password of a user who is granted that role. If you selected Use identity
assigned to specific role (below), you must specify a role name and role
description.
- Select one or more enterprise beans from the list of beans found
and click Next. If Next is unavailable, click Finish.
- (Optional)
On the Method Elements page, select one
or more of the method elements for the security identity and click Finish.
- Close the deployment descriptor editor and, when prompted, click Yes to
save the changes.