Win a copy of Learn Spring Security (video course) this week in the Spring forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Question regarding EJB Security

 
saqib rashids
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have a question regarding EJB Security: If @DenyAll notification is applied at class level and @RolesAllowed("xyz") is applied at a method methodA. Will a caller in role "xyz" be allowed to call methodA. In other words, will @RolesAllowed on method level override @DenyAll at bean class level.

Similarly for @PermitAll: If @PermitAll is applied at class level and @RolesAllowed is applied at method level. Will all clients be able to call that certain method or only those in role specified in @RolesAllowed.

Thanks in advance !!!
 
Frits Walraven
Creator of Enthuware JWS+ V6
Saloon Keeper
Pie
Posts: 2264
76
Android Chrome Eclipse IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Saqib,

The answer is found in the ejb specs:
Specifying the RolesAllowed or PermitAll or DenyAll annotation on the bean class means that it applies to all applicable business methods of the class.
Method permissions may be specified on a method of the bean class to override the method permissions value specified on the bean class.

In other words: the method level permissions always override the class level permissions (and permissions specified in the deployment descriptor always override any values specified in annotations).

Regards,
Frits
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic