Meaningless Drivel is fun!*
The moose likes EJB Certification (SCBCD/OCPJBCD) and the fly likes Security Role Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Certification » EJB Certification (SCBCD/OCPJBCD)
Bookmark "Security Role" Watch "Security Role" New topic

Security Role

Hendy Setyo Mulyo
Ranch Hand

Joined: Dec 01, 2004
Posts: 219

Hi All,

Currently I am still on preparing my way for SCBCD 5. Let say I have deployment descriptor in my application as following:

Also, here is the code in my application:

The question: which one either // 1 or // 2 will be executed? Considering I set the security role in my deployment descriptor and my code.
Thank you.
[ July 05, 2008: Message edited by: Hendy Setyo Mulyo ]

Hendy Setyo Mulyo
SCJP 1.4 (95%), SCWCD 1.4 (94%)
Nikhil Jain
Ranch Hand

Joined: May 15, 2005
Posts: 385
//1 Would be executed.

<B>the xml always overrides annotations!!</B>

SCJP 1.4, SCWCD 1.4, SCBCD 1.5
Hendy Setyo Mulyo
Ranch Hand

Joined: Dec 01, 2004
Posts: 219

Thank you!
J J Wright
Ranch Hand

Joined: Jul 02, 2008
Posts: 254
I think you're both completely missing the point here. You're asking which one will be executed right?

You have declared, via annotations and the deployment descriptor, that your bean code uses two role names; 'manager' and 'employee'. These then have to be linked to logical security roles defined in your application's security view.

The roles in your security view then have to be mapped to groups in the operational environment's security realm.

After all that has been done, which bit of code gets executed is entirely dependent on the role associated with the principal executing the code.

J J Wright
Ranch Hand

Joined: Jul 02, 2008
Posts: 254
It may well be that if the principal executing the code is a manager, he will probably also be an emplyee, so you could end up with both A and B executing!
Anish Mathur

Joined: Jun 30, 2008
Posts: 9
As per the specs section 17.3.1

The set of security roles used by the application is taken to be the aggregation of the security roles defined by the security role names used in the DeclareRoles and RolesAllowed annotations. The Bean Provider may augment the set of security roles defined for the application by annotations in this way by means of the security-role deployment descriptor element.

As per my understanding this means that the roles which are allowed to invoke a business method of a bean are
DeclaresRoles + RolesAllowed + security-role deployment descriptor.
J J Wright
Ranch Hand

Joined: Jul 02, 2008
Posts: 254
You're confusing two different aspects of security here; programmatic (the use of isCallerInRole()) and declarative (method permissions).

When a Bean Provider writes a bean that uses programmatic security checks they must declare the role name(s) used in the code using DeclareRoles and/or security-role-ref. If they don�t, and the Application Assembler only has the bean byte code to work with, there�s no way of knowing how to use the bean.

The whole point of being able to write reusable components is that the bean may be used by many different applications/organisations. The Bean Provider has no idea what applications the bean may be used in so the Bean Provider uses arbitrary role name(s) in the bean code and declares them, along with a ddescription.

An Application Assembler from another organization can use this bean by linking the declared roles to actual roles used in their application. If no mapping is supplied the role names used in the code are assumed exist in the application.

DeclareRoles and/or security-role-ref have nothing to do with method permissions.
Vinay Nath
Ranch Hand

Joined: Jul 06, 2008
Posts: 85
I agree with Anish, the question gives limited information to answer regarding annotation and DD roles aggregation concept.

SCDJWS 5.0, SCBCD 5.0, SCWCD 5.0, SCJP 5.0
I agree. Here's the link:
subject: Security Role
Similar Threads
SessionContext#isCallerInRole(-) /w <security-role> but /wo @DeclareRoles
Problem deploying ejbs in weblogic
ctx.isCallerInRole() not working....
ejb security problem with isCallerInRole()
@DeclareRoles vs @RolesAllowed