aspose file tools*
The moose likes EJB Certification (SCBCD/OCPJBCD) and the fly likes @RunAS Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Certification » EJB Certification (SCBCD/OCPJBCD)
Bookmark "@RunAS" Watch "@RunAS" New topic
Author

@RunAS

Deepika Joshi
Ranch Hand

Joined: Feb 24, 2009
Posts: 268
EJB3 In Action
page 210

Using @RunAs, we can temporarily assign a (CSR) role an (Admin) role so that the statistics-tracking EJB thinks an admin is invoking the method

@RunAS(ADMIN)
@RolesAllowed(CSR)
public void cancelBid( Bid bid, Item item){
}

I am bit confused here, RolesAllowed is CSR, so CSR can run this method (then why I need to use RunAs annotaion).

Remko Strating
Ranch Hand

Joined: Dec 28, 2006
Posts: 893
It does mean that the role CSR is allowed to run this class as if it had the role Admin.


Remko (My website)
SCJP 1.5, SCWCD 1.4, SCDJWS 1.4, SCBCD 1.5, ITIL(Manager), Prince2(Practitioner), Reading/ gaining experience for SCEA,
Deepika Joshi
Ranch Hand

Joined: Feb 24, 2009
Posts: 268
Remko,

thanks for reply but I did not understand the message, can you please explain (few more words please)...

this is example of declarative security, so I do not think coding of this method would check the role of user,
and role matters only at access of method,
@RollesAllowed(CSR), does it not mean that allow CSR to access this method, what is achived by running this method as ADMIN?

thanks....
Christophe Verré
Sheriff

Joined: Nov 24, 2005
Posts: 14687
    
  16

I am bit confused here, RolesAllowed is CSR, so CSR can run this method

That's right.

then why I need to use RunAs annotaion

If you don't, this bean will be seen as being a CSR. If it tries to call a method from another bean which is restricted to ADMIN, it will fail. To avoid this, @RunAs can be used to tell other bean that the caller is actually using the ADMIN role. You can imagine the bean wearing a CSR cap, and putting an ADMIN cap over it.


[My Blog]
All roads lead to JavaRanch
Deepika Joshi
Ranch Hand

Joined: Feb 24, 2009
Posts: 268
thanks a lot for answering the question....

Hong Anderson
Ranch Hand

Joined: Jul 05, 2005
Posts: 1936
By the way, the code is wrong, from errata:
Page 192 - Chapter 6 - 12th line from the top

REQUIRED_NEW should be REQUIRES_NEW

Change:
... @RunAS("ADMIN")
@RolesAllowed("CSR")
public void cancelBid(Bid bid, Item item) {...}
...
To:
... @RunAS("ADMIN")
@RolesAllowed("CSR")
public class BidManagerBean implements BidManager{
public void cancelBid(Bid bid, Item item) {...}
}
...

http://www.manning.com/panda/excerpt_errata.html


SCJA 1.0, SCJP 1.4, SCWCD 1.4, SCBCD 1.3, SCJP 5.0, SCEA 5, SCBCD 5; OCUP - Fundamental, Intermediate and Advanced; IBM Certified Solution Designer - OOAD, vUML 2; SpringSource Certified Spring Professional
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: @RunAS
 
Similar Threads
Is this security violation?
Security question: @RolesAllowed
EJB 3.0: Defining user roles
Query:About RolesAllowed annotation
@RunAs Application