Security role references
Security role references are used to provide a layer of indirection between security roles named in EJB Java code and security roles that are defined at application assembly time. This allows security roles names to be modified without requiring changes to the application code.
When an EJB uses the IsCallerInRole(Java.lang.String roleName) J2EE API method to determine whether or not the caller is a member of a particular role, roleName is a security role reference which is later linked to a defined security role in the EJB descriptor file, ejb-jar.xml. For example, the following Java code shows how a security role referenced might be used.
public String isInRole() { if (mySessionCtx.isCallerInRole("RoleReference")) { return "You are a member of the referenced role"; } else { return "You are NOT a member of the referenced role"; } }
Reference definition
Every security role reference that is coded must be defined in the assembly descriptor and we use the XML tag <security-role-ref> for this purpose.
Reference link
At the application assembly time, all the defined security role references must be linked to one of existing security role definitions. The XML tag <role-link> specified within <security-role-ref> in ejb-jar.xml deployment descriptor defines the reference link.The following XML code shows how the security role reference RoleReference can be linked to the security role BeanVisitor.
<enterprise-beans> <session id="SecuredHello"> ... <security-role-ref> <description> The "RoleReference" string is mapped to BeanVisitor security role</description> <role-name>RoleReference</role-name> <role-link>BeanVisitor</role-link> </security-role-ref> ... </session> </enterprise-beans>
For a security role reference to work, the security role to which it is linked must be a security role that is defined in the deployment descriptor and mapped to one or more users, groups, or special subjects.