Java Reference
In-Depth Information
@RolesAllowed("Manager")
@SecurityDomain("dbdomain")
@Stateful
@Remote(TheatreBooker.class)
public class TheatreBooker implements TheatreBooker {
}
Note
Be careful! There is more than one
SecurityDomain
API available. You have to in-
clude
org.jboss.ejb3.annotation.SecurityDomain
. The
@RolesAl-
lowed
annotation, on the other hand, needs to import
javax.annotation.security.RolesAllowed
.
The JBoss-specific annotations can be found in the following maven dependency:
<groupId>org.jboss.ejb3</groupId>
<artifactId>jboss-ejb3-ext-api</artifactId>
<version>2.0.0</version>
<scope>provided</scope>
Annotations can also be applied at the method level; for example, if we want to secure just
the
bookSeat
object of the
TheatreBookerBean
class, we will tag the
bookSeat
method as follows:
@RolesAllowed("Manager")
@SecurityDomain("dbdomain")
public String bookSeat(int seatId) throws
SeatBookedException {
}
What if you don't want to use annotations to establish security roles? For example, if you
have a security role that is used crosswise by all your EJB applications, perhaps it is sim-
pler to use a plain old XML configuration instead of tagging all EJBs with annotations. In
this scenario, you have to declare the security constraints first in the generic
META-INF/
ejb-jar.xml
file, shown as follows: