Secure enterprise bean applications during assembly

Enterprise bean methods can be protected by assigning security roles to them. So, you need to know what enterprise bean methods need protecting and how they are protected.

For more information about assembling your secure applications, see these topics in the Application Assembly Tool help documentation:

Perform these steps to assemble your secure enterprise bean application:

  1. Open the enterprise bean application file.
    This file can be an JAR file or an application EAR file that contains one or more EJB modules. To open the application file click File --> Open. Click Browse, and select the application file.

  2. Create security roles.
    You can create security roles at the application level or at the EJB module level. If you create a security role at the EJB module level, the role displays in the application level. If a security role is created at application level, the role does not show up in all the EJB module. You can copy and paste one or more EJB module security roles that you create at application level.

    To create the security roles, perform these steps:

    1. Create a role at application level by right-clicking Security Roles under the application folder. Click New. Type the role name. If the role that is created for the application is required for a EJB module, select that role from the application, copy it, right-click the EJB module Security Roles, and click Paste.
    2. To create a role at an EJB module level, open the corresponding EJB module folder. Right-click Security Roles under the EJB module and click New. Type the role name.

  3. Create method permissions.
    Method permissions are a mapping of one or more methods to a set of roles. An enterprise bean has four types of methods: Home methods, Remote methods, LocalHome methods and Local methods.

    To create the method permissions, perform these steps:

    1. To create a new method permission in a EJB module, open the EJB module folder. Right-click MethodPermissions and click New. A new panel displays.
    2. Type the method permission name and description.
    3. Add methods by clicking Add under Methods. Browse and select the required methods. An asterisk (*) indicates all methods.
    4. Add the required roles for those methods by clicking Add under Roles. Browse and click the required roles. If a set of methods needs to be unprotected, unselect the checkbox. Click OK when you are done.

  4. Exclude methods user access.
    Users cannot access excluded methods. Any method in enterprise beans that is not assigned to a role or is not excluded is marked as deselected during the application installation by the deployer.

    To exclude methods, perform these steps:

    1. Exclude one or more methods by right-clicking Exclude List under the EJB module folder. Click New. A new panel displays.
    2. Type descriptive text that describes why these methods are excluded.
    3. Add methods to be excluded by clicking Add. Click Browse, and click the methods that you want to excluded. Click OK when you done.

  5. Map security-role-ref and role-name to role-link.
    During development of enterprise beans, you may create the security-role-ref element with development tools such as WebSphere Studio Application Developer. The security-role-ref element contains only the role-name field at this stage. The role-name field determines if the caller is in a specified role (the isCallerInRole() method returns true) and contains the name of the role that is referenced in the code. Because you create security roles during the assembly stage, you use a logical role name in the role-name field and provide enough information in the description field for the assembler to map the actual role (role-link). The security-role-ref element is located at the enterprise bean level. Enterprise beans can have zero or more security-role-ref elements.

    To map the elements to role-link, perform these steps:

    1. Open the required EJB folder and click Security Role References to map role-name to role-link for a security-role-ref element.
    2. For each role-name you want to map, click the role-name in the navigation menu, and then select the role from the drop-down list..
    3. If you did not create the security-role-ref element during development, right-click Security Role References and click New. A new panel displays.
    4. You can enter the role-name in the Name field and the role-link in the Link field by selecting a proper role from the drop down list. You can also add a proper description in the Description field.

  6. Specify the RunAs identity for enterprise beans components.
    The RunAs identity of the enterprise beans is used to invoke the next enterprise beans in the chain of enterprise bean invocations. The RunAs identity is passed to the next enterprise bean that is invoked so it can perform an authorization check on subsequent enterprise beans. If the RunAs identity is not specified, the client identity is propagated to the next enterprise bean. The RunAs identity can represent each of the enterprise beans or each method in the enterprise beans.

    To specify the RunAs identity, perform these steps:

    1. To set the RunAs Identity for the enterprise beans component, click one or more enterprise beans. Click the security tab in the navigation menu.
    2. Select Security Identity.
    3. Select Run-As mode from the drop-down list.
    4. Click the role name from the drop-down list if UseSpecifiedId is selected. Click Apply when you are done.
    5. Set the RunAs Identity at the method level by opening the EJB folder. Click Method Extensions.
    6. Select the Advanced tab in the navigation menu.
    7. Select the required methods from the top of the panel and select Security Identity. (Selecting System Identity implies that the invocation is done using the WebSphere Application Server security server ID and should be used with caution as this ID has more privileges.) Click Run-As Mode.
    8. Click the Role Name from the drop-down list if the specified identity is selected.