Java Reference
In-Depth Information
Listing 6.7. Securing bid cancellation using declarative security management
This listing includes some of the most commonly used security annotations defined in
JSR-250, including ,
javax.annotation .security.RolesAllowed , and . Two other annotations that we
haven't used but will discuss are .DenyAll and . Let's start our analysis of the code and se-
curity annotations with the @DeclareRoles annotation.
@DeclareRoles annotation
The @DeclareRoles annotation lists the security roles used in an EJB. It can only be
placed on a class. If it isn't provided, then the container looks through the @Roles-Al-
lowed annotations and builds up a master list for the class. If a bean extends another
bean, the list of roles is concatenated. In the case of listing 6.5 , the BidManagerBean is
marked as using roles BIDDER , CSR , and ADMIN
@RolesAllowed annotation
The @RolesAllowed annotation is the crux of declarative security management.
This annotation can be applied to either an EJB business method or an entire class. When
applied to an entire EJB, it tells the container which roles are allowed to access any EJB
method. On the other hand, you can use this annotation on a method to specify the authen-
tication for that particular method. The tremendous flexibility offered by this annotation
becomes evident when you consider the fact that you can override class-level settings by
Search WWH ::

Custom Search