Win a copy of Murach's Python Programming this week in the Jython/Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Declarative Authorisation (@RolesAllowed) question  RSS feed

 
Ashley Lester
Greenhorn
Posts: 19
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If I annotate a business method or EJB with @RolesAllowed, I can restrict operations to only authorised users.

Where does JavaEE look in order to test whether a user is in a particular role? Is it something I have to configure on the server?

For example, in my database, I have a 'user' table with a 'role' attribute, the enumerated types in the 'role' attribute are 'user' and 'administrator'.

What can I use as a strategy to make sure that only users with an 'administrator' attribute are allowed access to certain business methods?
 
Eric Jendrock
Author
Greenhorn
Posts: 6
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You do need to create the user on the server and then map that user to a role on the server. The way to do this varies from application server to application server.
 
Rob Spoor
Sheriff
Posts: 20893
81
Chrome Eclipse IDE Java Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
JBoss for instance uses javax.security.auth.spi.LoginModule implementations for providing Subjects with the caller principal (currently logged in user) and groups (roles). It has out-of-the-box implementations for reading the credentials and roles from configuration files or a database. Creating your own LoginModule implementations isn't that hard.

Other containers like WebLogic or GlassFish (may) have different mechanisms and/or configuration. You should always read the documentation for your specific container.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!