my dog learned polymorphism*
The moose likes EJB Certification (SCBCD/OCPJBCD) and the fly likes Question regarding EJB Security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Certification » EJB Certification (SCBCD/OCPJBCD)
Bookmark "Question regarding EJB Security" Watch "Question regarding EJB Security" New topic
Author

Question regarding EJB Security

saqib rashids
Greenhorn

Joined: Mar 31, 2013
Posts: 3
I have a question regarding EJB Security: If @DenyAll notification is applied at class level and @RolesAllowed("xyz") is applied at a method methodA. Will a caller in role "xyz" be allowed to call methodA. In other words, will @RolesAllowed on method level override @DenyAll at bean class level.

Similarly for @PermitAll: If @PermitAll is applied at class level and @RolesAllowed is applied at method level. Will all clients be able to call that certain method or only those in role specified in @RolesAllowed.

Thanks in advance !!!
Frits Walraven
Creator of Enthuware JWS+ V6
Bartender

Joined: Apr 07, 2010
Posts: 1522
    
  22

Hi Saqib,

The answer is found in the ejb specs:
Specifying the RolesAllowed or PermitAll or DenyAll annotation on the bean class means that it applies to all applicable business methods of the class.
Method permissions may be specified on a method of the bean class to override the method permissions value specified on the bean class.

In other words: the method level permissions always override the class level permissions (and permissions specified in the deployment descriptor always override any values specified in annotations).

Regards,
Frits
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Question regarding EJB Security
 
Similar Threads
Problem in securing EJB modules
Security principal propagation accross ejb3 modules
Spring Security - Method level Permission
Security question: @RolesAllowed
Doubt regarding Spring AOP