Show TOC

Procedure documentationSpecifying Security Locate this document in the navigation structure

 

The EJB container provides a set of security mechanisms for authorization and management of the enterprise beans deployed on the SAP AS Java. This includes defining security roles, access to methods, security role references, and specific security options.

The security roles are logical roles that represent a type of user that should have specific access rights to the application such as Administrator or Guest.

You have to map the user groups and/or user accounts in the operational environment to the security roles.

More information: Securing a Java Application

Procedure

Defining Security Roles

To define security roles for your EJB application, you annotate the bean class with the @DeclareRoles annotation. With this annotation you also create a reference to these security roles.

You can also create security roles using the @RolesAllowed annotation.

To specify the method permission, you annotate the bean class, the business method of the bean class or both with the @RolesAllowed, @PermitAll or @DenyAll annotations. If you use these annotations on both method and class, the method specification overrides the class specification.

The value of the @RolesAllowed annotation is a list of security role names that have to be mapped to the security roles permitted to execute the specified method(s).

The @PermitAll allows executing the specified method, while the @DenyAll specifies that no security roles are permitted to execute the specified method.

This graphic is explained in the accompanying text.

In the following example, the security role Administrator is declared. The user who has the permissions of an Administrator has full access to the salaries of all employees in the company.

Syntax Syntax

  1. import java.math.BigDecimal;

import javax.annotation.security.RolesAllowed;

import javax.ejb.Stateless;



@Stateless

@RolesAllowed("Administrator")

public class EmployeeServicesFacadeBean implements EmployeeServicesFacadeLocal {

   public BigDecimal getSalary(String employeeName) {

      // Source code for getting the salary of the employee

      // ......



   }

}
End of the code.
Mapping Security Roles

To map the security roles defined for the application to server security roles, you use only the ejb-j2ee-engine.xml. By default there is no mapping.

  1. Open the ejb-j2ee-engine.xml.

  2. Set the mapping using the <security-permission> tag. In the following code, show the result mapping of the carCustomer application security role to the guests server security role.

    Syntax Syntax

    1. <security-permission>

   <security-role-map>

      <role-name>carCustomer</role-name>

      <server-role-name>guests</server-role-name>

   </security-role-map>

</security-permission>
    End of the code.

This graphic is explained in the accompanying text.

More information: Authorizations

Specifying Security Identity

When a remote client logs into the EJB system, it is associated with a security identity for the duration of that session. Once a remote client application has been associated with a security identity, it is ready to use beans. When a client invokes a method on a bean, the EJB server implicitly passes the client's identity with the method invocation. When the EJB object receives the method invocation, it checks the identity to ensure that the client is valid and is allowed to invoke that method.

To specify the security identity, you use the @RunAs annotation.

We recommend using security roles because you do not need to specify the identities in the source code of your beans. This is necessary when you develop beans for deployment in a wide variety of security environments because each environment has its own list of identities. In this way, you can also modify access control without recompiling your bean code.

In the following example an employee wants to see his/her salary but he/she needs special Administrator permissions to access only the information that concerns him/her. Using the @RunAs("Administrator") annotation, he/she is granted such permissions, but he/she does not have access to the information about the salaries of his/her colleagues.

Syntax Syntax

  1. import java.math.BigDecimal;

import java.security.Principal;

import javax.annotation.Resource;

import javax.annotation.security.RunAs;

import javax.ejb.EJB;

import javax.ejb.EJBContext;

import javax.ejb.Stateless;



@Stateless

@RunAs("Administrator")

public class EmployeeInfoBean implements EmployeeInfoLocal {

   @Resource

   private EJBContext context;



   @EJB

   private EmployeeServicesFacadeLocal empServices;



   public BigDecimal getSalary() {

      Principal callerPrincipal = context.getCallerPrincipal();

      String user = callerPrincipal.getName();

      return empServices.getSalary(user);

   }

}
End of the code.
Annotation Reference

Name

Use

Target

Annotation Attribute

@DeclareRoles

Use it to declare the security roles that you use in the bean.

TYPE

value

@RolesAllowed

Specifies the security roles that are allowed to invoke the methods of the bean. You can specify it on the bean class and/or on methods of the class that are methods of the business interface:

  • On the bean class it applies to all applicable interface methods of the class.

  • On a method, it applies to that method only.

  • If you apply the annotation to class and method level, the method value is with priority (if the two disagree).

    If you apply the @PermitAll annotation to the bean class and @RolesAllowed to an individual method, @RolesAllowed is with priority for the given method.

METHOD

TYPE

value - this is a list of security role names.

@PermitAll

Use it to call one or more methods by all security roles.

You can specify @PermitAll on the bean class and/or on the business methods of the class.

  • On the bean class, it applies to all applicable business methods of the class.

  • On a method, it applies to that method only, overriding any class-level annotations.

METHOD

TYPE

@DenyAll

It is the opposite of @PermitAll. Specifies that a particular method may not be invoked at all.

METHOD

@RunAs

Use it to set the bean's run-as property. You can apply this annotation only to the bean class.

TYPE

value - this is the name of a security role.