Java Reference
In-Depth Information
don't exactly know what role will access the EJB application (imagine that
some modules have been developed by a third party and they access
your EJB application with some roles that are not well-identified).
•
@javax.annotation.security.DenyAll
: This specifies that an
EJB application cannot be invoked by external clients. It has the same
considerations as those for
@PermitAll
.
Here is an example of how to secure the
TheatreBookerBean
SFSB, which we
@RolesAllowed("Manager")
@SecurityDomain("mysqldomain")
@Stateful
@Remote(TheatreBooker.class)
public class TheatreBookerBean implements
TheatreBooker {
}
Note
Be careful! There is a more than one
SecurityDomain
API available. You
have to include
org.jboss.ejb3.annotation.SecurityDomain
. The
@RolesAllowed
annotation, on the other hand, needs importing of
javax.annotation.security.RolesAllowed
.
Annotations can also be applied at the method level; for example, if we want to se-
cure just the
bookSeat
object of the
TheatreBookerBean
class, we would tag the
method as follows:
@RolesAllowed("Manager")
@SecurityDomain("mysqldomain")
public String bookSeat(int seatId) throws
