Java Reference
In-Depth Information
public interface EJBContext {
...
public java.securityPrincipal getCallerPrincipal();
public boolean isCallerInRole(java.lang.String roleName);
...
}
You've already seen the isCallerInRole method in action; it's fairly self-explanatory.
Behind the scenes, the EJB context retrieves the Principal associated with the current
thread and checks if any of its roles match the name you provided. The getCaller-
Principal method gives you direct access to the java.security.Principal rep-
resenting the current authentication context. The only method of interest in the Princip-
al interface is getName , which returns the name of the principal. Most of the time, the
name of the principal is the login name of the validated user. This means that just in case of
a homemade security framework, you could validate the individual user if you needed to.
For example, assume that you decided to allow bidders to cancel their orders if the cancel-
lation was performed within five minutes. This is in addition to allowing CSRs to cancel
bids. You'd implement this using getCallerPrincipal method as follows:
public void cancelBid(Bid bid) {
if(!context.isCallerInRole("CSR") &&
!context.isCallerInRole("ADMIN") &&
(!bid.getBidder().getUsername().equals(
context.getCallerPrincipal().getName()) &&
bid.getBidDate().getTime() >= (new Date().getTime() - 60*1000))) {
throw new SecurityException("You do not have permission to cancel an
order.");
...
}
}
One thing to note is that there's no guarantee exactly what Principal name might
return. In some environments, it can return the role name, group name, or any other arbit-
rary string that makes sense for the authentication system. Before you use the Princip-
al.getName method, you should check the documentation of your particular security en-
vironment. As you can see, the one great drawback of programmatic security management
is the intermixing of security code with business logic, as well as the potential hardcod-
ing of role and principal names. In previous versions of EJB, there was no way of getting
around these shortfalls. But in EJB 3 you can alleviate this problem somewhat by using
interceptors. Let's see how to accomplish this next.
Previous Page
Next Page
EJB 3 in Action
Search WWH ::




Custom Search
Home