File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes EJB Certification (SCBCD/OCPJBCD) and the fly likes Question regarding EJB Security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Certification » EJB Certification (SCBCD/OCPJBCD)
Bookmark "Question regarding EJB Security" Watch "Question regarding EJB Security" New topic

Question regarding EJB Security

saqib rashids

Joined: Mar 31, 2013
Posts: 6
I have a question regarding EJB Security: If @DenyAll notification is applied at class level and @RolesAllowed("xyz") is applied at a method methodA. Will a caller in role "xyz" be allowed to call methodA. In other words, will @RolesAllowed on method level override @DenyAll at bean class level.

Similarly for @PermitAll: If @PermitAll is applied at class level and @RolesAllowed is applied at method level. Will all clients be able to call that certain method or only those in role specified in @RolesAllowed.

Thanks in advance !!!
Frits Walraven
Creator of Enthuware JWS+ V6
Saloon Keeper

Joined: Apr 07, 2010
Posts: 2099

Hi Saqib,

The answer is found in the ejb specs:
Specifying the RolesAllowed or PermitAll or DenyAll annotation on the bean class means that it applies to all applicable business methods of the class.
Method permissions may be specified on a method of the bean class to override the method permissions value specified on the bean class.

In other words: the method level permissions always override the class level permissions (and permissions specified in the deployment descriptor always override any values specified in annotations).

I agree. Here's the link:
subject: Question regarding EJB Security
It's not a secret anymore!