Using annotations to secure Java EE applications
You can provide security for your Java™ EE enterprise application directly in your source code using annotations.
Common security annotations: JSR 250 defines a number of common security annotations. Five security annotations are defined:
- javax.annotation.security.PermitAll:
- Can be used at type or method level.
- Indicates that the given method or all business methods of the given EJB are accessible by everyone.
- javax.annotation.security.DenyAll:
- Can be used at method level.
- Indicates that the given method in the EJB cannot be accessed by anyone.
- javax.annotation.security.RolesAllowed:
- Can be used at type or method level.
- Indicates that the given method or all business methods in the EJB can be accessed by users associated with the list of roles.
- javax.annotation.security.DeclareRoles:
- Can be used at type level.
- Defines roles for security checking. To be used by EJBContext.isCallerInRole, HttpServletRequest.isUserInRole, and WebServiceContext.isUserInRole.
- javax.annotation.security.RunAs:
- Can be used at type level.
- Specifies the run-as role for the given components.
Using security annotations
- For the annotations @PermitAll, @DenyAll, and @RolesAllowed, a class-level annotation applies to a class and a method-level annotation applies to a method. Method-level annotation overrides the behavior of class level annotation.
@Stateless @RolesAllowed("team") public class TestEJB implements Test { @PermitAll public String hello(String msg) { return "Hello, " + msg; } public String goodbye(String msg) { return "Goodbye, " + msg; } }In this example, the hello() method is accessible by everyone, and the goodbye() method is accessible by users of role team.
- The @DeclareRoles annotation defines a list of roles to be used by a given component. In the Java EE 5 environment, you can look up the resource by using the @javax.annotation.Resource and verify whether the user is of the given role by invoking the following APIs:
Table 1. Component API used to check role EJB javax.ejb.EJBContext.isCallerInRole(role) Servlet javax.servlet.http.HttpServletRequest.isUserInRole(role) Web Service javax.xml.ws.WebServiceContext.isUserInRole(role)
- The @PermitAll, @DenyAll, and @RolesAllowed annotations allow you to implement most of the authorization decision. However, to accomplish more complicated logic, use the you need the @DeclareRoles annotation. For example, Suppose the hello method is to be accessible by a user who is in role A and who is not in role B at the same time. The following code clip achieves this goal:
@Stateless @DeclaresRoles({"A", "B"}) public class TestEJB implements Test { @Resource private SessionContext sc; public String hello(String msg) { if (sc.isCallerInRole("A") && !sc.isCallerInRole("B")) { ... } else { ... } } }Invalid use of security annotations
- More than one of @DenyAll, @PermitAll, @RolesAllowed cannot apply to the same method. For example, the following usage is not valid:
@PermitAll @DenyAll public String test()
- Two @RolesAllowed annotations cannot apply to the same methods. For example, the following usage is not valid and will fail in compilation:
@RolesAllowed("team") @RolesAllowed("otherteam") public String hello()Instead, use this structure:
@RolesAllowed({"team", "otherteam"}) public String hello()
Related concepts
Securing enterprise applications