This week's book giveaway is in the Cloud/Virtualization forum.
We're giving away four copies of Learning OpenStack Networking: Build a solid foundation in virtual networking technologies for OpenStack-based clouds and have James Denton on-line!
See this thread for details.
Win a copy of Learning OpenStack Networking: Build a solid foundation in virtual networking technologies for OpenStack-based clouds this week in the Cloud/Virtualization forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Liutauras Vilda
  • Campbell Ritchie
  • Tim Cooke
  • Bear Bibeault
  • Devaka Cooray
Sheriffs:
  • Jeanne Boyarsky
  • Knute Snortum
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Ganesh Patekar
  • Stephan van Hulst
  • Pete Letkeman
  • Carey Brown
Bartenders:
  • Tim Holloway
  • Ron McLeod
  • Vijitha Kumara

Security question: @RolesAllowed  RSS feed

 
Ranch Hand
Posts: 210
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Is it correct to say that:

@DeclareRoles maps to the security-role-ref element of the deployment descriptor.
If you use the role 'super_user' in your bean, you annotate it with the @DeclareRoles("super_user")
Next, you use the isCallerInRole("super_user").
However, if the actual role is admin, but not super_user, you can use the role-link to link "super_user" to "admin".
This way isCallerInRole("super_user") will return true if the actual role is "admin".

Now, this is in contrast with the @RolesAllowed annotation, since, if I'm correct, mapps directly the the "security-role".
So, if I would have annotated my bean method as : @RolesAllowed("super_user") there is no way to map it to "admin", right ?



^^ I will never be able to execute 'myMethod' with role 'admin' since the RolesAllowed asks for a "super_user" role.

The only way I see to "fix" this is to create another role in the deployment descriptor "admin" and give specific method permissions:



This way the descriptor overrides the @RolesAllowed for the "myMethod", also allowing the "admin" role to access the method.
Does this make any sense ?
 
Ranch Hand
Posts: 856
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
it seems you are correct.
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!