Chapter 11.  Security Management

Match security behaviors to declarative security specifications (default behavior, security roles, security role references, and method permissions).

[Note]
  • [EJB_3.0_CORE] 17.2.5.3 ; 17.3.1 ; 17.3.2 ; 17.3.2.3 ; 17.3.3

  • Default Behavior

    If the Bean Provider and Application Assembler do not define security roles, the Deployer will have to define security roles at deployment time.

    Unspecified Method Permissions

    It is possible that some methods are NOT assigned to any security roles nor annotated as DenyAll or contained in the exclude-list element. In this case, the Deployer should assign method permissions for all of the unspecified methods, either by assigning them to security roles, or by marking them as unchecked.

    If the Deployer does not assigned method permissions to the unspecified methods, those methods MUST be treated by the container as unchecked.

  • Security Roles

    The Bean Provider or Application Assembler can define one or more security roles in the bean's metadata annotations or deployment descriptor. The Bean Provider or Application Assembler then assigns groups of methods of the enterprise beans' business, home, and component interfaces, and/or web service endpoints to the security roles to define the security view of the application.

    Because the Bean Provider and Application Assembler do not, in general, know the security environment of the operational environment, the security roles are meant to be logical roles (or actors), each representing a type of user that should have the same access rights to the application.

    The Deployer then assigns user groups and/or user accounts defined in the operational environment to the security roles defined by the Bean Provider and Application Assembler.

    Defining the security roles in the metadata annotations and/or deployment descriptor is optional. Their omission means that the Bean Provider and Application Assembler chose not to pass any security deployment related instructions to the Deployer.

    If Java language metadata annotations are used, the Bean Provider uses the DeclareRoles and RolesAllowed annotations to define the security roles. The set of security roles used by the application is taken to be the aggregation of the security roles defined by the security role names used in the DeclareRoles and RolesAllowed annotations. The Bean Provider may augment the set of security roles defined for the application by annotations in this way by means of the security-role deployment descriptor element.

    If the deployment descriptor is used, the The Bean Provider and/or Application Assembler uses the security-role deployment descriptor element as follows:

    • Define each security role using a security-role element.

    • Use the role-name element to define the name of the security role.

    • Optionally, use the description element to provide a description of a security role.

    The following example illustrates security roles definition in a deployment descriptor:

    
    <assembly-descriptor>
    	<security-role>
    		<description>
    			This role includes the employees of the
    			enterprise who are allowed to access the
    			employee self-service application. This role
    			is allowed only to access his/her own
    			information.
    		</description>
    		<role-name>employee</role-name>
    	</security-role>
    
    	<security-role>
    		<description>
    			This role includes the employees of the human
    			resources department. The role is allowed to
    			view and update all employee records.
    		</description>
    		<role-name>hr-department</role-name>
    	</security-role>
    
    	<security-role>
    		<description>
    			This role includes the employees of the payroll
    			department. The role is allowed to view and
    			update the payroll entry for any employee.
    		</description>
    		<role-name>payroll-department</role-name>
    	</security-role>
    	
    	<security-role>
    		<description>
    			This role should be assigned to the personnel
    			authorized to perform administrative functions
    			for the employee self-service application.
    			This role does not have direct access to
    			sensitive employee and payroll information.
    		</description>
    		<role-name>admin</role-name>
    	</security-role>
    </assembly-descriptor>
    
    								

  • Security Role References

    Declaration of Security Roles Referenced from the Bean's Code

    The Bean Provider is responsible for using the DeclareRoles annotation or the security-role-ref elements of the deployment descriptor to declare all the security role names used in the enterprise bean CODE. The DeclareRoles annotation is specified on a bean class, where it serves to declare roles that may be tested by calling isCallerInRole from within the methods of the annotated class. Declaring the security roles allows the Bean Provider, Application Assembler, or Deployer to link these security role names used in the code to the security roles defined for an assembled application. In the absence of this linking step, any security role name as used in the code will be assumed to correspond to a security role of the SAME name.

    The Bean Provider declares the security roles referenced in the code using the DeclareRoles metadata annotation. When declaring the name of a role used as a parameter to the isCallerInRole(String roleName) method, the declared name MUST be the same as the parameter value. The Bean Provider may optionally provide a description of the named security roles in the description element of the DeclareRoles annotation.

    In the following example, the DeclareRoles annotation is used to indicate that the enterprise bean AardvarkPayroll makes the security check using isCallerInRole("payroll") in its business method.

    								
    @DeclareRoles("payroll")
    @Stateless public class PayrollBean implements Payroll {
    	
    	@Resource SessionContext ctx;
    
    	public void updateEmployeeInfo(EmplInfo info) {
    	
    		oldInfo = ... read from database;
    
    		// The salary field can be changed only by callers
    		// who have the security role "payroll"
    		if (info.salary != oldInfo.salary && !ctx.isCallerInRole("payroll")) {
    			throw new SecurityException(...);
    		}
    		...
    	}
    	...
    }
    
    								

    If the DeclareRoles annotation is not used, the Bean Provider MUST use the security-role-ref elements of the deployment descriptor to declare the security roles referenced in the code. The security-role-ref elements are defined as follows:

    • Declare the name of the security role using the role-name element. The name MUST be the security role name that is used as a parameter to the isCallerInRole(String roleName) method.

    • Optionally provide a description of the security role in the description element.

    The following example illustrates how an enterprise bean's references to security roles are declared in the deployment descriptor.

    
    <enterprise-beans>
    	...
    	<session>
    		<ejb-name>AardvarkPayroll</ejb-name>
    		<ejb-class>com.aardvark.payroll.PayrollBean</ejb-class>
    		...
    		<security-role-ref>
    			<description>
    				This security role should be assigned to the
    				employees of the payroll department who are
    				allowed to update employees' salaries.
    			</description>
    			<role-name>payroll</role-name>
    		</security-role-ref>
    		...
    	</session>
    	...
    </enterprise-beans>
    
    								

    The deployment descriptor above indicates that the enterprise bean AardvarkPayroll makes the security check using isCallerInRole("payroll") in its business method.

    A security role reference, including the name defined by the reference, is scoped to the COMPONENT whose bean class contains the DeclareRoles metadata annotation or whose deployment descriptor element contains the security-role-ref deployment descriptor element.

    The Bean Provider (or Application Assembler) may also use the security-role-ref elements for those references that were declared in annotations and which the Bean Provider wishes to have linked to a security-role whose name differs from the reference value. If a security role reference is NOT linked to a security role in this way, the container MUST map the reference name to the security role of the SAME name.

    Linking Security Role References to Security Roles

    The security role references used in the COMPONENTS of the application are linked to the security roles defined for the APPLICATION. In the absence of any explicit linking, a security role reference will be linked to a security role having the SAME name.

    The Application Assembler may explicitly link all the security role references declared in the DeclareRoles annotation or security-role-ref elements for a component to the security roles defined by the use of annotations and/or in the security-role elements.

    The Application Assembler links each security role reference to a security role using the role-link element. The value of the role-link element MUST be the name of one of the security ROLES defined in a security-role element or by means of the DeclareRoles annotations or RolesAllowed annotations, but need not be specified when the role-name used in the code is the same as the name of the security-role (to be linked).

    The following deployment descriptor example shows how to link the security role reference named payroll to the security role named payroll-department:

    
    <enterprise-beans>
    	...
    	<session>
    		<ejb-name>AardvarkPayroll</ejb-name>
    		<ejb-class>com.aardvark.payroll.PayrollBean</ejb-class>
    		...
    		<security-role-ref>
    			<description>
    				This role should be assigned to the
    				employees of the payroll department.
    				Members of this role have access to
    				anyone's payroll record.
    				The role has been linked to the
    				payroll-department role.
    			</description>
    			<role-name>payroll</role-name>
    			<role-link>payroll-department</role-link>
    		</security-role-ref>
    		...
    	</session>
    	...
    </enterprise-beans>
    
    								

  • Method Permissions

    If the Bean Provider and/or Application Assembler have defined security roles for the enterprise beans in the ejb-jar file, they can also specify the methods of the business, home, and component interfaces, and/or web service endpoints that each security role is allowed to invoke.

    Metadata annotations and/or the deployment descriptor can be used for this purpose.

    Method permissions are defined as a binary relation from the set of security roles to the set of methods of the business interfaces, home interfaces, component interfaces, and/or web service endpoints of session and entity beans, including all their superinterfaces (including the methods of the EJBHome and EJBObject interfaces and/or EJBLocalHome and EJBLocalObject interfaces). The method permissions relation includes the pair (R, M) if and only if the security role R is allowed to invoke the method M.

Professional hosting     Belorussian informational portal         Free SCWCD 1.4 Study Guide     Free SCDJWS 1.4 Study Guide     SCDJWS 1.4 Quiz     Free IBM Certified Associate Developer Study Guide     IBM Test 000-287. Enterprise Application Development with IBM WebSphere Studio, V5.0 Study Guide     Free Mock Exam Engine