Java Reference
In-Depth Information
Listing 6.7. Securing bid cancellation using declarative security management
This listing includes some of the most commonly used security annotations defined in
JSR-250, including
javax.annotation.security.DeclarRoles
,
javax.annotation .security.RolesAllowed
, and
javax.annotation.security.PermitAll
. Two other annotations that we
haven't used but will discuss are
javax.annotation.security .DenyAll
and
javax.annotation.security.RunAs
. Let's start our analysis of the code and se-
curity annotations with the
@DeclareRoles
annotation.
@DeclareRoles annotation
The
@DeclareRoles
annotation lists the security roles used in an EJB. It can only be
placed on a class. If it isn't provided, then the container looks through the
@Roles-Al-
lowed
annotations and builds up a master list for the class. If a bean extends another
marked as using roles
BIDDER
,
CSR
, and
ADMIN
.
@RolesAllowed annotation
The
@RolesAllowed
annotation is the crux of declarative security management.
This annotation can be applied to either an EJB business method or an entire class. When
applied to an entire EJB, it tells the container which roles are allowed to access any EJB
method. On the other hand, you can use this annotation on a method to specify the authen-
tication for that particular method. The tremendous flexibility offered by this annotation
becomes evident when you consider the fact that you can override class-level settings by