Specifying Permissions for Method Invocations

Use this procedure to specify the methods of the beans' home and component interfaces, which the security roles are allowed or disallowed to invoke. These permissions are specified in ejb-jar.xml.

The methods are created in the bean's component and/or home interfaces .

The security roles are defined .

Setting Method Permissions

1. 1.      Open the ejb-jar.xml.
2. 2.      From the right-hand pane, choose the Assembly tab.
3. 3.      From the left-hand pane in the Assembly tab, select method-permission and choose add.

   A dialog box appears in which you can choose the methods to which you want to apply the permissions. If you choose a whole bean, the method permissions will be applied to all the bean methods.

   The selected methods appear as sub-nodes under a method-permission node.

4. 4.      Select the created method-permission sub-node.

   The properties of each method-permission sub-node are stored in a separate <method-permission> element in the deployment descriptor.

   1. a.      If you do not want the EJB Container to check the chosen methods for authorization prior to their invocation, select the Unchecked option (This option is selected by default.)
   2. b.      To specify the security roles that will be granted permission to invoke the chosen methods, deselect the Unchecked option and choose the security roles from the dialog box that appears.

      The security roles appear in the Role Names field. Each of the chosen security roles is allowed to invoke each of the listed methods.

   3. c.      To remove a security role from the list, select it and choose remove.
   4. d.      In the Description field, enter a description of the method-permission element.
5. 5.      To differentiate between methods with the same name and signature, but that are defined in different component and home interfaces (for example, defined both in the remote and home interfaces of the bean), you must specify the method interface:
   1. a.      Select the method from the tree structure in the Assembly tab.
   2. b.      Specify the interface in the Method intf field.

      The value of this field can be one of the following: Home , Remote , LocalHome , Local .

   3. c.      You can also enter an optional description of the method on this screen.

The following code excerpt shows an example of method permission settings.

<method-permission>
     <description>Specifies the method permissions for customers</description>
     <role-name>carCustomer</role-name>
     <method>
         <ejb-name>OrderBean</ejb-name>
         <method-intf>Remote</method-intf>
         <method-name>login</method-name>
         <method-params>
             <method-param>java.lang.String</method-param>
             <method-param>java.lang.String</method-param>
         </method-params>
     <method>
     <method>
         <ejb-name>OrderBean</ejb-name>
         <method-intf>Remote</method-intf>
         <method-name>makeOrder</method-name>
         <method-params>
             <method-param>int</method-param>
             <method-param>java.lang.String</method-param>
             <method-param>java.lang.String</method-param>
         </method-params>
     <method>
</method-permission>

Denying Access to Methods

You can specify a set of methods that cannot be called and, as a result, neither of these methods can be accessed.

1. 1.      Open the ejb-jar.xml.
2. 2.      From the right-hand pane, choose the Assembly tab.
3. 3.      From the left-hand pane in the Assembly tab, select Exclude-list and choose add.

   A dialog box appears in which you can choose the methods that you want to add to the list. If you choose a whole bean, all the bean's methods will be added to the list.

   The selected methods appear as sub-nodes under an exclude-list node.

4. 4.      Select the created exclude-list sub-node and enter a description of the list in the right-hand pane.
5. 5.      To differentiate between methods with the same name and signature, but that are defined in different component and home interfaces (for example, defined both in the remote and home interfaces of the bean), you must specify the method interface:
   1. a.      Select the method from the tree structure in the Assembly tab.
   2. b.      Specify the interface in the Method intf field.

      The value of this field can be one of the following: Home , Remote , LocalHome , Local .

   3. c.      You can also enter an optional description of the method on this screen.

The contents of the exclude-list sub-node is stored in the <exclude-list> element in the deployment descriptor:

<exclude-list>
   <description>Contains methods, which cannot be accessed.</description>
   <method>
      <description>This method removes all orders.</description>
      <ejb-name>OrderBean</ejb-name>
      <method-intf>Remote</method-intf>
      <method-name>deleteAll</method-name>
   </method>
</exclude-list>