File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
Win a copy of Clojure in Action this week in the Clojure forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Security question: @RolesAllowed

 
Jim Janssens
Ranch Hand
Posts: 210
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Is it correct to say that:

@DeclareRoles maps to the security-role-ref element of the deployment descriptor.
If you use the role 'super_user' in your bean, you annotate it with the @DeclareRoles("super_user")
Next, you use the isCallerInRole("super_user").
However, if the actual role is admin, but not super_user, you can use the role-link to link "super_user" to "admin".
This way isCallerInRole("super_user") will return true if the actual role is "admin".

Now, this is in contrast with the @RolesAllowed annotation, since, if I'm correct, mapps directly the the "security-role".
So, if I would have annotated my bean method as : @RolesAllowed("super_user") there is no way to map it to "admin", right ?



^^ I will never be able to execute 'myMethod' with role 'admin' since the RolesAllowed asks for a "super_user" role.

The only way I see to "fix" this is to create another role in the deployment descriptor "admin" and give specific method permissions:



This way the descriptor overrides the @RolesAllowed for the "myMethod", also allowing the "admin" role to access the method.
Does this make any sense ?
 
Amandeep Singh
Ranch Hand
Posts: 850
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
it seems you are correct.
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic