The specification "JSR 318: Enterprise JavaBeansTM,Version 3.1" mention roles as Bean Provider, Application Assembler, Deployer and System Administrator as main actors for EJB creation.
Below how each role contributes to the Security prospective:
- Bean Privider: Use annotations like @RolesAllowed, @DeclareRoles etc. to define the logical security view of the single enterprise bean.
- Application Assembler: Changing/Creating deployment descriptor defines the logical security view of the entire application. Maps security role references to security roles.
Should not be confused with the user groups, users, principals that exist in the target enterprise’s system environment. Those are handled by the Deployer. - Deployer: The Deployer makes sure that the roles required by the Application Assembler are available in the target system. Maps the security view specified by the Application Assembler to the mechanisms and policies used by the security domain in the target operational environment.
- System Administrator: The system administrator configures the users and manages their membership to the groups.
Example of each role output:
Bean Provider: TestBean.java
@Stateless public class TestBean { @RolesAllowed({"APP-ADMIN"}) public void sayHello() { } }ejb-jar.xml
<ejb-jar> <enterprise-beans> <session> <ejb-name>TestBean</ejb-name> <ejb-class>org.ejb.test.TestBean</ejb-class> <session-type>Stateless</session-type> </session> </enterprise-beans> </ejb-jar>Application Assembler: List with all logical roles that Deployer has to map in the security domain of the target environment.
ejb-jar.xml<ejb-jar> <enterprise-beans> <session> <ejb-name>TestBean</ejb-name> <ejb-class>org.ejb.test.TestBean</ejb-class> <session-type>Stateless</session-type> <security-role-ref> <role-name>APP-ADMIN</role-name> <role-link>ADMIN</role-link> </security-role-ref> </session> </enterprise-beans> <assembly-descriptor> <security-role> <role-name>ADMIN</role-name> </security-role> <method-permission> <role-name>ADMIN</role-name> <!-- or APP-ADMIN ?--> <method> <ejb-name>TestBean</ejb-name> <method-name>sayHello</method-name> </method> </method-permission> </assembly-descriptor> </ejb-jar>Deployer (jboss 4.2.3-GA env): Creates Security Domain and assign principals realm for enterprise application
login-config.xml<application-policy name = "MyUserSecurityDomain"> <authentication> <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required"> <module-option name = "unauthenticatedIdentity">guest</module-option> <module-option name = "dsJndiName">java:/jdbc/MyServerDS</module-option> <module-option name = "hashAlgorithm">MD5</module-option> <module-option name = "hashEncoding">HEX</module-option> <module-option name = "principalsQuery">SELECT password FROM app_user WHERE username = ? </module-option> <module-option name = "rolesQuery">SELECT role, 'Roles' FROM app_user WHERE username = ? </module-option> </login-module> </authentication>System Administrator: make sure that users present in app_user DB table wishing to use the enterprise application have role ADMIN.
Can anyone give a more complete example? Or feel free to add anything may be missing or modify what may be wrong in the given example? A complete example of security flow can be useful to many persons learning EJB or wishing to take Oracle Certification Expert 1Z0-895.