Win a copy of Microservices Testing (Live Project) this week in the Spring forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
Sheriffs:
  • Liutauras Vilda
  • Henry Wong
  • Devaka Cooray
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Al Hobbs
  • Carey Brown
Bartenders:
  • Piet Souris
  • Mikalai Zaikin
  • Himai Minh

[EJB3] About security and the Deployer role

 
Sheriff
Posts: 14691
16
Eclipse IDE VI Editor Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
From what I have understood, the Deployer assigns principals to roles defined in both DeclareRoles and RolesAllowed annotations, and the security-role elements in the deployment descriptor.
I'm fine with the deployment descriptor. It's like EJB2. But how is the Deployer going to gather roles defined with annotations ? Using a magic wand ?
 
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

either tools inspect the packaged EJB or the EJB application/component will have to discuss these roles in documentation--in the enterprise, documentation is a good thing anyway.

By the way, this problem is not completely new: for example, how would a deployer know about roles that are only referenced in calls to EJBContext.isCallerInRole(String), even in a EJB 2.x application?

I think some (lightweight) documentation is the way to go...

Cheers,
Oliver
 
Christophe Verré
Sheriff
Posts: 14691
16
Eclipse IDE VI Editor Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

how would a deployer know about roles that are only referenced in calls to EJBContext.isCallerInRole(String), even in a EJB 2.x application?


I thought that the Bean Developer was responsible for setting pseudo-roles in the deployment descriptor. But I thought it was not particularly needed in 3.0. Well, as you said, documentation will be needed, or a tool scanning the classes. Thank you.
 
Oliver Kamps
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Of course, you were right. DeclareRoles is the annotation that corresponds to EJBContext.isCallerInRole().

A container could certainly scan an EJB's class file for these annotations much like it would scan a deployment constructor.
reply
    Bookmark Topic Watch Topic
  • New Topic