Java Reference
In-Depth Information
Securing EJBs
Securing applications by means of a web login form is the most frequently used option in
Enterprise applications. Nevertheless, the HTTP protocol is not the only choice available to
access applications. For example, EJBs can be accessed by remote clients using the RMI-
IIOP protocol. In such a case, you should further refine your security policies by restricting
access to the EJB components, which are usually involved in the business layer of your ap-
plications.
Tip
How does security work at the EJB level?
Authentication must be performed before any EJB method is called. Authorization, on the
other hand, occurs at the beginning of each EJB method call.
One vast area of improvement introduced in Java EE 5 concerns the use of annotations,
which can also be used to perform the basic security checks. There are five available an-
notations, which are listed as follows:
•
@org.jboss.ejb3.annotation.SecurityDomain
: This specifies the
security domain that is associated with the class/method.
•
@javax.annotation.security.RolesAllowed
: This specifies the list
of roles permitted to access a method(s) in an EJB application.
•
@javax.annotation.security.RunAs
: This assigns a role dynamically to
the EJB application during the invocation of the method. It can be used, for ex-
ample, if we need to temporarily allow permission to access certain methods.
•
@javax.annotation.security.PermitAll
: This specifies that an EJB
application can be invoked by any client. The purpose of this annotation is to
widen security access to some methods in situations where you don't exactly know
what role will access the EJB application (imagine that some modules have been
developed by a third party and they access your EJB application with some roles
that are not well identified).
•
@javax.annotation.security.DenyAll
: This specifies that an EJB ap-
plication cannot be invoked by external clients. It has the same considerations as
those for
@PermitAll
.
The following snippet is an example of how to secure the
TheatreBooker
SFSB, which
we discussed in
Chapter 4
,
Learning Context and Dependency Injection
:
