aspose file tools*
The moose likes EJB Certification (SCBCD/OCPJBCD) and the fly likes Security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Certification » EJB Certification (SCBCD/OCPJBCD)
Bookmark "Security" Watch "Security" New topic
Author

Security

Nikhil Jain
Ranch Hand

Joined: May 15, 2005
Posts: 385
What is the difference between Security-Role-Ref & Security-role tags. The @declarerole corresponds to which tags.

@Declarerole is used as class annotation. So there fore security-role-ref is used within session bean tags? So what is the corresponding annotation to security-role.


SCJP 1.4, SCWCD 1.4, SCBCD 1.5
vitesse wei
Ranch Hand

Joined: Sep 07, 2007
Posts: 100
The security-role-ref is used to declare roles name you used in you code,corresponding annotation is @javax.annotatio.security.DeclareRoles,you need to use role-link to link your role name to logical role name declared by assembler by security-role
,as manning's book said,security-role's corresponding annotation is @java.annotation.security.DeclareRoles too.
correct me if I am wrong.


SCJP 5.0<br />SCWCD1.4<br />SCBCD5
Benoît de Chateauvieux
Ranch Hand

Joined: Aug 10, 2007
Posts: 183
Hi,

Thanks for asking this, as this is a part of the specs that I don't understand well...
For me, there are two distinct things:
- Security Role References
- Security Roles

The specs (17.2.5.3) says:
The Bean Provider is responsible for using the DeclareRoles annotation or the security-role-ref elements of the deployment descriptor to declare all the security role names used in the enterprise bean code.

So for me, DeclareRoles declares Security Role References.

But in the chapter (17.3.1):
The Bean Provider may augment the set of security roles defined for the application by annotations in this way by means of the security-role deployment descriptor element.

So, annotations (DeclareRoles and RolesAllowed) declares Security Roles.

I think the link is at the chapter 17.3.3:
In the absence of any explicit linking, a security role reference will be linked to a security role having the same name.


So, for me, annotations DeclareRoles and RolesAllowed declares security-role-ref and those references are implicitly mapped to Security Roles.
Those security roles can then be tested with isCallerInRole.

Can someone confirm or correct ?
Thanks,

Beno�t


SCJP5 | SCBCD5 | SCEA5 Part 1
Nikhil Jain
Ranch Hand

Joined: May 15, 2005
Posts: 385
Just to add from 17.3.3

The Security role references used in the components of the application(@DeclareRoles|<SECURITY-ROLE-REF> are linked to the securiy roles defined for the application (<SECURIY-ROLE> .


The linking is not required if the role defined in security-role-ref is same as security role.

But what does this mean


Bean Provider may augment the set of security roles defined for the application by annotations in this way by means of the security-role dd element


So if were using just the annotations, how are we supposed to do the linking part.
Nikhil Jain
Ranch Hand

Joined: May 15, 2005
Posts: 385
1. Is it required to include the role used in @RunAs in the @RoleDeclared Element
2. Which value to we use in @RunAs. Is it the value specified in security-role-ref or security-role. Or does this really matter.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Security