You can provide security for your Java™ EE enterprise application directly in your
source code using annotations.
About this task
Common security annotations: JSR 250 defines a number
of common security annotations. Five security annotations are defined:
Procedure
- javax.annotation.security.PermitAll:
- Can be used at type or method level.
- Indicates that the given method or all business methods of the
given EJB are accessible by everyone.
- javax.annotation.security.DenyAll:
- Can be used at method level.
- Indicates that the given method in the EJB cannot be accessed
by anyone.
- javax.annotation.security.RolesAllowed:
- Can be used at type or method level.
- Indicates that the given method or all business methods in the
EJB can be accessed by users associated with the list of roles.
- javax.annotation.security.DeclareRoles:
- Can be used at type level.
- Defines roles for security checking. To be used by EJBContext.isCallerInRole,
HttpServletRequest.isUserInRole, and WebServiceContext.isUserInRole.
- javax.annotation.security.RunAs:
- Can be used at type level.
- Specifies the run-as role for the given components.
Example
Using security annotations
- For the annotations @PermitAll, @DenyAll, and @RolesAllowed, a
class-level annotation applies to a class and a method-level annotation
applies to a method. Method-level annotation overrides the behavior
of class level annotation.
@Stateless
@RolesAllowed("team")
public class TestEJB implements Test {
@PermitAll
public String hello(String msg) {
return "Hello, " + msg;
}
public String goodbye(String msg) {
return "Goodbye, " + msg;
}
}
In this example, the hello() method is accessible by
everyone, and the goodbye() method is accessible by users of role
team.
- The @DeclareRoles annotation defines a list of roles to be used
by a given component. In the Java EE
5 environment, you can look up the resource by using the @javax.annotation.Resource
and verify whether the user is of the given role by invoking the following
APIs:
Table 1. | Component |
API used to check role |
| EJB |
javax.ejb.EJBContext.isCallerInRole(role) |
| Servlet |
javax.servlet.http.HttpServletRequest.isUserInRole(role) |
| Web Service |
javax.xml.ws.WebServiceContext.isUserInRole(role) |
- The @PermitAll, @DenyAll, and @RolesAllowed annotations allow
you to implement most of the authorization decision. However, to accomplish
more complicated logic, use the @DeclareRoles annotation. For example,
suppose the hello method is to be accessible by a user who is in role
A and who is not in role B at the same time. The following code clip
achieves this goal:
@Stateless
@DeclaresRoles({"A", "B"})
public class TestEJB implements Test {
@Resource private SessionContext sc;
public String hello(String msg) {
if (sc.isCallerInRole("A") && !sc.isCallerInRole("B")) {
...
} else {
...
}
}
}
Invalid use of security annotations