Use this topic to programmatically secure your Enterprise JavaBeans (EJB) applications.
You can enable a login module to indicate which principal class is returned by these calls.
When the isCallerInRole method is used, declare a security-role-ref element in the deployment descriptor with a role-name that is subelement containing the role name that is passed to this method. Because actual roles are created during the assembly stage of the application, you can use a logical role as the role name and provide enough hints to the assembler in the description of the security-role-ref element to link that role to an actual role. During assembly, the assembler creates a role-link subelement to link the role-name to the actual role. Creation of a security-role-ref element is possible if an assembly tool such as Rational Application Developer (RAD) is used. You also can create the security-role-ref element during the assembly stage using an assembly tool.
Using J2EE security model capabilities to specify security policies declaratively is useful when an EJB application wants to access external resources and wants to control the access to these external resources using its own authorization table (external-resource to user mapping). In this case, use the getCallerPrincipal method to get the caller identity and then the application can consult its own authorization table to perform authorization. The caller identification also can help retrieve the corresponding user information from an external source, such as database or from another enterprise bean. You can use the isCallerInRole method in a similar way.
<security-role-ref> <description>Provide hints to assembler for linking this role-name to actual role here<\description> <role-name>Mgr<\role-name> </security-role-ref>
<security-role-ref> <description>Hints provided by developer to map role-name to role-link</description> <role-name>Mgr</role-name> <role-link>Manager</role-link> </security-role-ref>
public class aSessionBean implements SessionBean { ..... // SessionContext extends EJBContext. If it is entity bean use EntityContext javax.ejb.SessionContext context; // The following method will be called by the EJB container // automatically public void setSessionContext(javax.ejb.SessionContext ctx) { context = ctx; // save the session bean's context } .... private void aBusinessMethod() { .... // to get bean's caller using getCallerPrincipal() java.security.Principal principal = context.getCallerPrincipal(); String callerId= principal.getName(); // to check if bean's caller is granted Mgr role boolean isMgr = context.isCallerInRole("Mgr"); // use the above information in any way as needed by the //application .... } .... }
File : Hello.java package tests; import java.rmi.RemoteException; /** * Remote interface for Enterprise Bean: Hello */ public interface Hello extends javax.ejb.EJBObject { public abstract String getMessage()throws RemoteException; public abstract void setMessage(String s)throws RemoteException; }
File : HelloHome.java package tests; /** * Home interface for Enterprise Bean: Hello */ public interface HelloHome extends javax.ejb.EJBHome { /** * Creates a default instance of Session Bean: Hello */ public tests.Hello create() throws javax.ejb.CreateException, java.rmi.RemoteException; }
File : HelloBean.java package tests; /** * Bean implementation class for Enterprise Bean: Hello */ public class HelloBean implements javax.ejb.SessionBean { private javax.ejb.SessionContext mySessionCtx; /** * getSessionContext */ public javax.ejb.SessionContext getSessionContext() { return mySessionCtx; } /** * setSessionContext */ public void setSessionContext(javax.ejb.SessionContext ctx) { mySessionCtx = ctx; } /** * ejbActivate */ public void ejbActivate() { } /** * ejbCreate */ public void ejbCreate() throws javax.ejb.CreateException { } /** * ejbPassivate */ public void ejbPassivate() { } /** * ejbRemove */ public void ejbRemove() { } public java.lang.String message; //business methods // all users can call getMessage() public String getMessage() { return message; } // all users can call setMessage() but only few users can set new message. public void setMessage(String s) { // get bean's caller using getCallerPrincipal() java.security.Principal principal = mySessionCtx.getCallerPrincipal(); java.lang.String callerId= principal.getName(); // check if bean's caller is granted Mgr role boolean isMgr = mySessionCtx.isCallerInRole("Mgr"); // only set supplied message if caller is "bob" or caller is granted Mgr role if ( isMgr || callerId.equals("bob") ) message = s; else message = "Hello"; } }
<security-role-ref> <description>Only Managers can call setMessage() on this bean (Hello)</description> <role-name>Mgr</role-name> </security-role-ref>
In this information ...Related tasks
Related reference
| IBM Redbooks, demos, education, and more |