Index | News | FAQ | Download | Lists | Issues | |||||||||||||||||
OverviewGeneralConfigurationServersIntegrationsCommunityFeeds
|
This page shows the correct usage of the security related annotations:
Basic idea
No restrictionsAllow anyone logged in or not to invoke 'svnCommit'. These three examples are all equivalent. @Stateless public class OpenSourceProjectBean implements Project { public String svnCheckout(String s) { return s; } } @Stateless @PermitAll public class OpenSourceProjectBean implements Project { public String svnCheckout(String s) { return s; } } @Stateless public class OpenSourceProjectBean implements Project { @PermitAll public String svnCheckout(String s) { return s; } }
Restricting a MethodRestrict the 'svnCommit' method to only individuals logged in and part of the "committer" role. Note that more than one role can be listed. @Stateless @DeclareRoles({"committer"}) public class OpenSourceProjectBean implements Project { @RolesAllowed({"committer"}) public String svnCommit(String s) { return s; } public String svnCheckout(String s) { return s; } }
DeclareRolesYou need to update the @DeclareRoles when referencing more roles in your annotations. @Stateless @DeclareRoles({"committer", "contributor"}) public class OpenSourceProjectBean implements Project { @RolesAllowed({"committer"}) public String svnCommit(String s) { return s; } @RolesAllowed({"contributor"}) public String submitPatch(String s) { return s; } } Restricting all methods in a classPlacing the annotation at the class level changes the default of PermitAll @Stateless @DeclareRoles({"committer"}) @RolesAllowed({"committer"}) public class OpenSourceProjectBean implements Project { public String svnCommit(String s) { return s; } public String svnCheckout(String s) { return s; } public String submitPatch(String s) { return s; } }
Mixing class and method level restrictionsSecurity annotations can be used at the class level and method level at the same time. These rules do not stack, so marking 'submitPatch' overrides the default of "committers". @Stateless @DeclareRoles({"committer", "contributor"}) @RolesAllowed({"committer"}) public class OpenSourceProjectBean implements Project { public String svnCommit(String s) { return s; } public String svnCheckout(String s) { return s; } @RolesAllowed({"contributor"}) public String submitPatch(String s) { return s; } }
PermitAllWhen annotating a bean class with @RolesAllowed, the @PermitAll annotation becomes very useful on individual methods to open them back up again. @Stateless @DeclareRoles({"committer", "contributor"}) @RolesAllowed({"committer"}) public class OpenSourceProjectBean implements Project { public String svnCommit(String s) { return s; } @PermitAll public String svnCheckout(String s) { return s; } @RolesAllowed({"contributor"}) public String submitPatch(String s) { return s; } }
DenyAllThe @DenyAll annotation can be used to restrict business interface access from anyone, logged in or not. The method is still invokable from within the bean class itself. @Stateless @DeclareRoles({"committer", "contributor"}) @RolesAllowed({"committer"}) public class OpenSourceProjectBean implements Project { public String svnCommit(String s) { return s; } @PermitAll public String svnCheckout(String s) { return s; } @RolesAllowed({"contributor"}) public String submitPatch(String s) { return s; } @DenyAll public String deleteProject(String s) { return s; } }
Illegal UsageGenerally, security restrictions cannot be made on AroundInvoke methods and most callbacks. The following usages of @RolesAllowed have no effect. @Stateful @DecalredRoles({"committer"}) public class MyStatefulBean implements MyBusinessInterface { @PostConstruct @RolesAllowed({"committer"}) public void constructed(){ } @PreDestroy @RolesAllowed({"committer"}) public void destroy(){ } @AroundInvoke @RolesAllowed({"committer"}) public Object invoke(InvocationContext invocationContext) throws Exception { return invocationContext.proceed(); } @PostActivate @RolesAllowed({"committer"}) public void activated(){ } @PrePassivate @RolesAllowed({"committer"}) public void passivate(){ } } |
||||||||||||||||
Powered by Atlassian Confluence.
|