This example application demonstrates the EJB 3.0 security annotations using multiple Stateless Session EJBs and a remote client.
EJB 3.0 simplifies the specification and application of role-based security for Enterprise JavaBeans. Although the EJB 3.0 specification adds no new security features, the role-based security features from prior specifications are much easier to use.
Applications written to the EJB 3.0 specification may specify the following security options with annotations:
Declare roles for the EJB module using @SecurityRoles.
Assign roles to the bean class and/or bean methods with @MethodPermissions.
Override bean role permissions to allow unrestricted access with @Unchecked.
Disable access to a business method with @Exclude.
Set the security identity of a bean with @RunAs.
Note that the names of the security annotations are subject to change as the EJB 3.0 specification aligns with other technologies targeted for the J2EE 5.0 release.
Security example using EJB 3.0
Security roles apply to the entire EJB module. In the current EJB 3.0 draft specification, the @SecurityRoles annotation to define security roles is a package annotation and must be placed in a package-info.java file. Oracle’s implementation of EJB 3.0 will search any package that contains Stateless or Stateful session beans for the @SecurityRoles annotation.
The following package-info.java source demonstrates the declaration of two security roles:
Mapping these security roles to users or groups in the Oracle Application Server EJB 3.0 Preview is achieved using the orion-ejb-jar.xml file. This configuration is unchanged from previous Oracle Application Server releases.
The following is a Stateless Session EJB that sets “superuser” as the default required security role. The sharedTask() method has been overridden to include the “user” role, meaning that any user with either “superuser” or “user” permissions may call the method. The safeTask() method has been marked as unchecked, meaning that any user may invoke it regardless of their security role.
package oracle.ejb30;
import javax.ejb.MethodPermissions;
import javax.ejb.Stateless;
import javax.ejb.Unchecked;
@Stateless
@MethodPermissions("superuser")
public class AdminServiceBean implements AdminService {
public void adminTask() {
System.out.println("Admin method called");
}
@MethodPermissions("user")
public void sharedTask() {
System.out.println("Shared admin/user method called");
}
@Unchecked
public void safeTask() {
System.out.println("Unchecked method called");
}
}
The following StatelessSession EJB demonstrates a change to the security
identity of a bean. Any method call from this bean to another will run as
the “superuser” role regardless of the current user's security
roles.
import javax.ejb.Exclude;
import javax.ejb.MethodPermissions;
import javax.ejb.Stateless;
@Stateless
@MethodPermissions("user")
public class UserServiceBean implements UserService {
public void userTask() {
System.out.println("User service called");
}
@Exclude
public void disabledTask() {
System.out.println("Disabled method called");
}
}
The complete source code for this application is included as part of this How-To package.
Prerequisites
What you need to know
In order to complete the example application, you should
be familiar with the following:
EJB 3.0
For further information on EJB 3.0, see the following
documents on OTN:
etc - all necessary files to package the application
lib - holds the application archives that could be deployed
doc - the How-to document and Javadoc's
javadoc - the javadoc of the different source files
how-to-ejb30-security.html - this How-to page
src - the source of the demo
ejb - contains the sample SLSB code
client - contains application client code
2. Configure the Environment
Ensure
the following environment variables are defined:
%ORACLE_HOME% - The directory where you installed OC4J.
%JAVA_HOME% - The directory where you installed
the JDK
3. Start the Oracle Application Server EJB 3.0 Preview
An Oracle Application Server EJB 3.0 Preview container must
be running. Start it using the following command:
>%ORACLE_HOME%/bin/ejb30 -start
4. Generate, Compile,
and Deploy the Application
Ensure Ant 1.6.2 or above is installed on your machine and configured correctly.
On some operating systems, Ant does not currently
support the use of environment variables. If this is the case for your operating
system, please modify the common.xml file located in the
%HOWTO_HOME% directory.
Edit ant-oracle.properties (in the demodirectory) and ensure
the following properties are set to the correct values,
as indicated below:
oc4j.host: host where
OC4J is running (default localhost)
oc4j.admin.port: RMI port number
(default 23791)
oc4j.admin.user: admin user name (default oc4jadmin)
oc4j.admin.password: admin user password (default welcome)
oc4j.binding.module: website name where deployed web modules
are bound (default http-web-site)
To build the application, type the following command
from the %HOWTO_HOME% directory:
>ant
You should now have the newly created ejb30security.ear in your
%HOWTO_HOME%/lib directory.
This command would also attempt to deploy the application if the build is
successful. It will first test whether server is running.
Note that you can also deploy the application
separately .
Ensure the %ORACLE_HOME% environment variable is defined,
and from the %HOWTO_HOME%
directory, type the command:
>ant deploy
5. Run
the Application
Run
the sample by providing the following command, including a name as the program
argument:
>ant run
You will see output generated by
the client
run:
[java] Looking up beans
[java] Calling allowed user method
[java] Calling excluded user method
[java] Call failed
[java] Calling disallowed administration method
[java] Call failed
[java] Calling administration method with user and admin permissions
[java] Calling unchecked administration method
[java] Calling administration method through privileged bean
Summary
In this document, you should have learned how to:
Use security annotations in EJB 3.0
Deploy an execute a sample application using Security annotation in
the Oracle Application Server EJB 3.0 Preview
Bookmark
