Configuring Security Roles Using Annotations in Web Applications 

Use

There are two annotation configuring security settings:

●      @DeclareRoles

This annotation declares the security roles defined by the application.

●      @RunAs

This annotation maps the application’s security role to an existing security role.

Procedure

Using the @DeclareRoles Annotation

Use this annotation at class level, passing the role name as an attribute.

@DeclareRoles("Customer") public class CustomerServlet extends HttpServlet{   //…    public void doGet(HttpServletRequest req, HttpServletResponse resp) {         //…       out.println("@DeclareRoles Test : ");       out.println("isUuserInRole Customer = " + req.isUserInRole("Customer")); //…    } }

The @DeclareRole(“Customer”) statement would be equivalent to defining the following security role in the web.xml deployment descriptor.

<web-app> … <security-role> <role-name>Customer</role-name> </security-role> … </web-app>

Using the @RunAs Annotation

Use this annotation at class level, passing the role name as an attribute.

@RunAs("Customer") public class RunAs_servlet extends HttpServlet{ //…   public void doGet( HttpServletRequest req , HttpServletResponse resp){        @EJB ShopingCart customerCart;         //....     customerCart.getTotal();    } }

The @RunAs(“Customer”) statement would be equivalent to defining the following security role in the web.xml deployment descriptor.

</web-app> … servlet>     <servlet-name>RunAs_servlet</servlet-name>     <run-as>Customer</run-as> </servlet> … </web-app>