• Post Reply Bookmark Topic Watch Topic
  • New Topic

Query:About RolesAllowed annotation  RSS feed

Amit Suresh Pawar
Ranch Hand
Posts: 30
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All,

Consider the example :

1. @DeclareRoles("BIDDER", "CSR", "ADMIN")
2. @Stateless
3. public class BidManagerBean implements BidManager {
4. @RolesAllowed("CSR, ADMIN")
5. public void cancelBid(Bid bid, Item item) {...}

I have some doubts like:

a) What do you mean by @DeclareRoles("BIDDER", "CSR", "ADMIN") annotation?
Is it means that these roles have created for the BidManagerBean bean and we can use these roles anywhere....
b) In order to use these roles defined as @DeclareRoles("BIDDER", "CSR", "ADMIN") , is it required to define these roles somewhere(in Deployment Descriptor)?
c) What is a relation between @DeclareRoles and isCallerInRole() method?
d) I read one statement that: if there are no roles defined in deployment descriptor then contaner will gather the roles by scanning @RolesAllowed annotation?
e) Which part of deployment descriptor (Security relared tags),we can compare to @DeclareRoles annotation ?

I'm rambling in wrong direction...

Please help me

Duran Harris
Ranch Hand
Posts: 608
Eclipse IDE Spring Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Alexey Saenko gave me this answer to the same question:
The @DeclareRoles annotation specifies all roles which are used in the given class (or method). Also it is possible to specify the roles list in DD. In case there is no specified roles neither in DD nor with @DeclareRoles annotations, the container builds the list automatically by inspecting the @RolesAllowed annotation.

The actual role that a bean is using is determined by the Principal of the client that called it.A Principal is created once authentication and authorisation has occurred in either the Web or EJB container.

It goes something like this:

-A user goes to 'http://www.ActionBazaar.com/mainLogin.jsp'
-They are asked for a username and password
-Authentication against an LDAP system(basically a list of users,passwords etc)
-The succesfully logged in user will be mapped to certain groups ie.Marketing,Technical,Sales
-The groups will be mapped to specific roles ie. Bidder,Seller,Administrator
-The mapping of groups to roles can be in the web.xml(if the authentication is in the web container) and if the authentication occurs in the EJB container then I think the mapping is in a container-specific file.
-When the user tries to access a web-resource ie. http://www.ActionBazaar.com/DeleteBidder, the web container checks the web-xml to see if access to that URL is allowed FOR that role.
-The container checks the Principal object which contains information about the logged in user's role
-It sees that this user has a role of administrator...it then uses a container specific file to figure out what group that role is mapped to:
it is mapped to 'System Administrator'.
-In the web.xml :the URL http://www.ActionBazaar.com/DeleteBidder.jsp is only allowed to be accessed by the role:System Administrator.
-Since that is the role we are using we can visit the page.
-On the page there is a 'Delete Bidder' button.
-When we click it it calls the DeleteBidBean,
-The DeleteBidBean has the following annotations at the class level;
@DeclareRoles("System Administrator")
@RolesAllowed("System Administrator")

The declare roles annotation specifies all the roles the bean might use across all it's methods.
The @RolesAllowed specifies that only "System Administrator" roles can using any methods in this class(because it's annotation is declared at class level),annotations can also be at the method level though.
-The bean is called from the DeleteBiddder.jsp,but since the web-container already authenticated the user the 'Principal' is still available to the EJB container(the web container passes the principal to the ejb container).
-The ejb container checks the Principal to see if the role of the Principal matches one of the roles in the @RolesAllowed.
Note:This is the same as us checking programatically by calling EJBContext.isUserInRole("System Administrator")
The user's Prinicpal has a role of "System Administrator" so the container invokes the bean's method!!

Consider Paul's rocket mass heater.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!