Java Reference
In-Depth Information
For example, Enterprise JavaBeans components use an EJB deployment
descriptor, which must be named
ejb-jar.xml
and placed in the
META-INF
folder of the EJB JAR file.
Web components use a web application deployment descriptor named
web.xml
,
which is located in the
WEB-INF
directory.
Tip
Since the release of Java EE 5, you can apply declarative security by means of an-
notations just like we have for other key APIs (EJB, web services, and so on).
Annotations are specified within a class file, and when the application is de-
ployed, the application server translates this information internally.
•
Programmatic security
: This is embedded in an application and used to make
security decisions. It can be used when declarative security alone is not sufficient
to express the security model of an application. The Java EE security API allows
the developer to test whether or not the current user has access to a specific role,
using the following calls:
◦
isUserInRole()
for servlets and JSPs (adopted in
javax.servlet.http.HttpServletRequest
)
◦
isCallerInRole()
for EJBs (adopted in
javax.ejb.SessionContext
)
Additionally, there are other API calls that provide access to the user's identity,
which are as follows:
◦
getUserPrincipal()
for servlets and JSPs (adopted in
javax.servlet.http.HttpServletRequest
)
◦
getCallerPrincipal()
for EJBs (adopted in
javax.ejb.SessionContext
)
Using these APIs, you can develop arbitrarily complex authorization models.
