Java Reference
In-Depth Information
<jboss-web>
<security-domain>java:/jaas/
mysqldomain</security-domain>
</jboss-web>
Securing EJBs
Securing applications by means of a web login form is the most frequently used
option in Enterprise applications. Nevertheless, the HTTP protocol is not the only
choice available to access applications. For example, EJBs can be accessed by re-
mote clients using the RMI-IIOP protocol. In such a case, you should further refine
your security policies by restricting access to the EJB components, which are usually
involved in the business layer of your applications.
Tip
How does security work at the EJB level?
Authentication must be performed before any EJB method is called. Authoriza-
tion, on the other hand, occurs at the beginning of each EJB method call.
One vast area of improvement introduced in Java EE 5 concerns the use of annota-
tions, which can also be used to perform the basic security checks. There are five
available annotations, as follows:
@org.jboss.ejb3.annotation.SecurityDomain : This specifies
the security domain that is associated with the class/method.
@javax.annotation.security.RolesAllowed : This specifies the
list of roles permitted to access a method(s) in an EJB application.
@javax.annotation.security.RunAs : This assigns a role dynam-
ically to the EJB application during the invocation of the method. It can be
used, for example, if we need to temporarily allow a permission to access
certain methods.
@javax.annotation.security.PermitAll : This specifies that an
EJB application can be invoked by any client. The purpose of this annota-
tion is to widen security access to some methods in situations where you
Search WWH ::




Custom Search