Develop with programmatic APIs for EJB applications


Programmatic security is used by security-aware applications when declarative security alone is not sufficient to express the security model of the application. The javax.ejb.EJBContext interface provides two methods whereby the bean provider can access security information about the enterprise bean caller.

IsCallerInRole(String rolename): Returns true if the bean caller is granted the specified security role (specified by role name). If the caller is not granted the specified role, or if the caller is not authenticated, it returns false. If the specified role is granted Everyone access, it always returns true.
getCallerPrincipal(): Returns the object containing the bean caller name. If the caller is not authenticated, it returns a principal containing UNAUTHENTICATED name.

When the isCallerInRole() method is used, declare a security-role-ref element in the deployment descriptor with a role-name subelement containing the role name passed to this method. Since actual roles are created during the assembly stage of the application, you can use a logical role as the role name and provide enough hints to the assembler in the description of the security-role-ref element to link that role to actual role. During assembly, assembler creates a role-link sub element to link the role-name to the actual role. Creation of a security-role-ref element is possible if development tools such as WebSphere Studio Application Developer is used. You also can create the security-role-ref element during the assembly stage using an assembly tool.

  1. Add the required security methods in the EJB module code.

  2. Create a security-role-ref element with a role-name field for all the role names used in the isCallerInRole() method.If a security-role-ref element is not created during development, make sure it is created during the assembly stage.

A programmatically secured EJB application.

 Usage scenariogetCallerPrincipal()

After development, a security-role-ref element can be created...

<description>Provide hints to assembler for linking this role-name to 
actual role here<\description>

During assembly, the assembler creates a role-link element...

<description>Hints provided by developer to map role-name to role-link</description>

You can add programmatic EJB component security methods (isCallerInRole() and getCallerPrincipal()) inside any business methods of an enterprise bean. The following example of programmatic security APIs includes a session bean...

public class aSessionBean implements SessionBean {


       // SessionContext extends EJBContext. If it is entity bean use EntityContext
       javax.ejb.SessionContext context;

       // The following method will be called by the EJB container 
       // automatically
       public void setSessionContext(javax.ejb.SessionContext ctx) {
              context = ctx; // save the session bean's context


       private  void aBusinessMethod()  {

       // to get  bean's caller using getCallerPrincipal() principal = context.getCallerPrincipal();     
       String  callerId= principal.getName();

       // to check if  bean's caller is granted Mgr role
       boolean isMgr = context.isCallerInRole("Mgr");

       // use the above information in any way as needed by the 


After developing an application, use the Assembly Toolkit to create roles and to link the actual roles to role names in the security-role-ref elements. For more information, see Securing enterprise bean applications using the Assembly Toolkit.


See Also

Securing enterprise bean applications using the Assembly Toolkit
Example: Enterprise bean application code
Security: Resources for learning