File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes EJB Certification (SCBCD/OCPJBCD) and the fly likes Security question: @RolesAllowed Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Java Interview Guide this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Certification » EJB Certification (SCBCD/OCPJBCD)
Bookmark "Security question: @RolesAllowed" Watch "Security question: @RolesAllowed" New topic

Security question: @RolesAllowed

Jim Janssens
Ranch Hand

Joined: Sep 24, 2004
Posts: 210
Is it correct to say that:

@DeclareRoles maps to the security-role-ref element of the deployment descriptor.
If you use the role 'super_user' in your bean, you annotate it with the @DeclareRoles("super_user")
Next, you use the isCallerInRole("super_user").
However, if the actual role is admin, but not super_user, you can use the role-link to link "super_user" to "admin".
This way isCallerInRole("super_user") will return true if the actual role is "admin".

Now, this is in contrast with the @RolesAllowed annotation, since, if I'm correct, mapps directly the the "security-role".
So, if I would have annotated my bean method as : @RolesAllowed("super_user") there is no way to map it to "admin", right ?

^^ I will never be able to execute 'myMethod' with role 'admin' since the RolesAllowed asks for a "super_user" role.

The only way I see to "fix" this is to create another role in the deployment descriptor "admin" and give specific method permissions:

This way the descriptor overrides the @RolesAllowed for the "myMethod", also allowing the "admin" role to access the method.
Does this make any sense ?
Amandeep Singh
Ranch Hand

Joined: Jul 17, 2008
Posts: 850
it seems you are correct.

SCJP 1.4, SCWCD 5, SCBCD 5, OCPJWSD 5,SCEA-1, Started Assignment Part 2
My blog-
I agree. Here's the link:
subject: Security question: @RolesAllowed
jQuery in Action, 3rd edition