EJB-Tier Security

The following sections describe declarative and programmatic security mechanisms that can be used to protect resources in the EJB tier. The protected resources include methods of enterprise beans that are called from the app clients, Web components, or other enterprise beans.

You can protect EJB-tier resources by doing the following:

  • Declaring method permissions
  • Mapping roles to J2EE users and groups

 

Declaring Method Permissions

After you've defined the roles, you can define the method permissions of an enterprise bean. Method permissions indicate which roles are allowed to invoke which methods.

Use the following procedure in deploytool to specify method permissions by mapping roles to methods.

  1. Select the enterprise bean.
  2. Select the Security tab.
  3. In the Method Permissions table, select Sel Roles in the Availability column.
  4. Then select a role's checkbox if that role should be allowed to invoke a method.

 

Using Programmatic Security in the EJB Tier

Programmatic security in the EJB tier consists of the getCallerPrincipal and the isCallerInRole methods. You can use the getCallerPrincipal method to determine the caller of the enterprise bean, and the isCallerInRole method to get the caller's role.

The getCallerPrincipal method of the EJBContext interface returns the java.security.Principal object that identifies the caller of the enterprise bean. (In this case, a principal is the same as a user.) In the following example, the getUser method of an enterprise bean returns the name of the J2EE user that invoked it: 

public String getUser() {
   return context.getCallerPrincipal().getName();
}

You can determine whether an enterprise bean's caller belongs to a particular role by invoking the isCallerInRole method: 

boolean result = context.isCallerInRole("Customer");

 

Unprotected EJB-Tier Resources

By default, the J2EE SDK assigns the ANYONE role to a method. The guest user, which is anonymous and unauthenticated, belongs to the ANYONE role. Therefore, if you do not map the roles, any user may invoke the methods of an enterprise bean.