Security is a major concern of any enterprise level application. It includes identification of user(s) or system accessing the application. Based on identification, it allows or denies the access to resources within the application. An EJB container manages standard security concerns or it can be customized to handle any specific security concerns.
Important Terms of Security
- Authentication − This is the process ensuring that user accessing the system or application is verified to be authentic.
- Authorization − This is the process ensuring that authentic user has right level of authority to access system resources.
- User − User represents the client or system, which accesses the application.
- User Groups − Users may be part of the group having certain authorities For example administrator’s group.
- User Roles − Roles define the level of authority, a user have or permissions to access a system resource.
Container Managed Security
EJB 3.0 has specified following attributes/annotations of security, which EJB containers implement.
- DeclareRoles − Indicates that class will accept the declared roles. Annotations are applied at class level.
- RolesAllowed − Indicates that a method can be accessed by user of role specified. Can be applied at class level resulting which all methods of class can be accessed buy user of role specified.
- PermitAll − Indicates that a business method is accessible to all. It can be applied at class as well as at method level.
- DenyAll − Indicates that a business method is not accessible to any of the user specified at class or at method level.
Example
package com.tutorialspoint.security.required;
import javax.ejb.*
@Stateless
@DeclareRoles({"student" "librarian"})
public class LibraryBean implements LibraryRemote {
@RolesAllowed({"librarian"})
public void delete(Book book) {
//delete book
}
@PermitAll
public void viewBook(Book book) {
//view book
}
@DenyAll
public void deleteAll() {
//delete all books
}
}
Security Configuration
Map roles and user groupd in configuration file.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-ejb-jar PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 9.0 EJB 3.0//EN" "http://www.sun.com/software/appserver/dtds/sun-ejb-jar_3_0-0.dtd">
<ejb-jar>
<security-role-mapping>
<role-name>student</role-name>
<group-name>student-group</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>librarian</role-name>
<group-name>librarian-group</group-name>
</security-role-mapping>
<enterprise-beans/>
</ejb-jar>
JNDI Bindings
JNDI stands for Java Naming and Directory Interface. It is a set of API and service interfaces. Java based applications use JNDI for naming and directory services. In context of EJB, there are two terms.
- Binding − This refers to assigning a name to an EJB object, which can be used later.
- Lookup − This refers to looking up and getting an object of EJB.
In Jboss, session beans are bound in JNDI in the following format by default.
- local − EJB-name/local
- remote − EJB-name/remote
In case, EJB are bundled with <application-name>.ear file, then default format is as following −
- local − application-name/ejb-name/local
- remote − application-name/ejb-name/remote
Example of Default Binding
Refer to EJB – Create Application chapter’s JBoss console output.
JBoss Application Server Log Output
... 16:30:02,723 INFO [SessionSpecContainer] Starting jboss.j2ee:jar=EjbComponent.jar,name=LibrarySessionBean,service=EJB3 16:30:02,723 INFO [EJBContainer] STARTED EJB: com.tutorialspoint.stateless.LibrarySessionBean ejbName: LibrarySessionBean 16:30:02,731 INFO [JndiSessionRegistrarBase] Binding the following Entries in Global JNDI: LibrarySessionBean/remote - EJB3.x Default Remote Business Interface LibrarySessionBean/remote-com.tutorialspoint.stateless.LibrarySessionBeanRemote - EJB3.x Remote Business Interface ...
Customized Binding
Following annotations can be used to customize the default JNDI bindings −
- local − org.jboss.ejb3.LocalBinding
- remote − org.jboss.ejb3.RemoteBindings
Update LibrarySessionBean.java. Refer to EJB – Create Application chapter.
LibrarySessionBean
package com.tutorialspoint.stateless;
import java.util.ArrayList;
import java.util.List;
import javax.ejb.Stateless;
@Stateless
@LocalBinding(jndiBinding="tutorialsPoint/librarySession")
public class LibrarySessionBean implements LibrarySessionBeanLocal {
List<String> bookShelf;
public LibrarySessionBean() {
bookShelf = new ArrayList<String>();
}
public void addBook(String bookName) {
bookShelf.add(bookName);
}
public List<String> getBooks() {
return bookShelf;
}
}
LibrarySessionBeanLocal
package com.tutorialspoint.stateless;
import java.util.List;
import javax.ejb.Local;
@Local
public interface LibrarySessionBeanLocal {
void addBook(String bookName);
List getBooks();
}
Build the project, deploy the application on Jboss, and verify the following output in Jboss console −
... 16:30:02,723 INFO [SessionSpecContainer] Starting jboss.j2ee:jar=EjbComponent.jar,name=LibrarySessionBean,service=EJB3 16:30:02,723 INFO [EJBContainer] STARTED EJB: com.tutorialspoint.stateless.LibrarySessionBean ejbName: LibrarySessionBean 16:30:02,731 INFO [JndiSessionRegistrarBase] Binding the following Entries in Global JNDI: tutorialsPoint/librarySession - EJB3.x Default Local Business Interface tutorialsPoint/librarySession-com.tutorialspoint.stateless.LibrarySessionBeanLocal - EJB3.x Local Business Interface
Next Topic : Click Here