This week's book giveaway is in the Features new in Java 9 forum.
We're giving away four copies of Java 9 Revealed and have Kishori Sharan on-line!
See this thread for details.
Win a copy of Java 9 Revealed this week in the Features new in Java 9 forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Question regarding EJB Security  RSS feed

 
saqib rashids
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have a question regarding EJB Security: If @DenyAll notification is applied at class level and @RolesAllowed("xyz") is applied at a method methodA. Will a caller in role "xyz" be allowed to call methodA. In other words, will @RolesAllowed on method level override @DenyAll at bean class level.

Similarly for @PermitAll: If @PermitAll is applied at class level and @RolesAllowed is applied at method level. Will all clients be able to call that certain method or only those in role specified in @RolesAllowed.

Thanks in advance !!!
 
Frits Walraven
Creator of Enthuware JWS+ V6
Saloon Keeper
Posts: 2920
205
Android Chrome Eclipse IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Saqib,

The answer is found in the ejb specs:
Specifying the RolesAllowed or PermitAll or DenyAll annotation on the bean class means that it applies to all applicable business methods of the class.
Method permissions may be specified on a method of the bean class to override the method permissions value specified on the bean class.

In other words: the method level permissions always override the class level permissions (and permissions specified in the deployment descriptor always override any values specified in annotations).

Regards,
Frits
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!