bea.com | products | dev2dev | support | askBEA |
|
e-docs > WebLogic Server > Programming WebLogic Security > Securing EJB Applications |
Programming WebLogic Security |
You can use deployment descriptors and the Administration Console to secure EJBs just as you can with Web applications. See Securing Web Applications (Thin Clients)" on page 1 for a information on securing Web applications.
This section presents the following topics:
Adding Declarative Security to EJBs
To implement declarative security in EJBs you use deployment descriptors (ejb-jar.xml and weblogic-ejb-jar.xml) to define the security requirements. Listing 4-1 shows examples of how to use the ejb-jar.xml and weblogic-ejb-jar.xml deployment descriptors to map security role names to a security realm. The deployment descriptors map the application's logical security requirements to its runtime definitions. And at runtime, the EJB container uses the security definitions to enforce the requirements.
To configure a security in the EJB deployment descriptors, perform the following steps (see Listing 4-1):
For more information on configuring security in the ejb-jar.xml file, see the Sun Microsystems Enterprise JavaBeans Specification, Version 2.0 which is at this location on the Internet: http://java.sun.com/products/ejb/docs.html.
Listing 4-1 Using the ejb-jar.xml and weblogic-ejb-jar.xml Files to Map Security Role Names to a Security Realm
ejb-jar.xml entries:
...
<assembly-descriptor>
<security-role>
<role-name>manger</role-name>
<role-name>east</role-name>
</security-role>
<method-permission>
<role-name>manager</role-name>
<role-name>east</role-name>
<method>
<ejb-name>accountsPayable</ejb-name>
<method-name>getReceipts</method-name>
</method>
</method-permission>
...
</assembly-descriptor>
...
weblogic-ejb-jar.xml entries:
<security-role-assignment>
<role-name>manager</role-name>
<principal-name>al</principal-name>
<principal-name>george</principal-name>
<principal-name>ralph</principal-name>
</security-role-assignment>
...
Using the <global-role/> Tag With EJBs
With WebLogic Server versions 7.0 SP1 and later, there are four different options, or approaches, that you can use to configure security in EJBs:
Thus, the <global-role/> tag gives you the flexibility of not having to specify a specific role mapping for each role defined in the deployment descriptors for a particular EJB. Rather, you can use the Administration Console to specify and modify a specific role mapping for each defined role at anytime. Additionally, because you may elect to use this tag on some EJBs and not others, it is not necessary to check the Ignore Security Data In Deployment Descriptors attribute on the General tab of the security realm. Thus, within the same security realm, deployment descriptors can be used to specify and modify security for some EJBs, while the Administration Console can be used to specify and modify security for others.
Listing 4-2 shows how to use the <global-role/> tag with the ejb-jar.xml and weblogic-ejb-jar.xml deployment descriptors.
Listing 4-2 Using the <global-role> tag in EJB Deployment Descriptors for Role Mapping
ejb-jar.xml entries:
...
<assembly-descriptor>
<security-role>
<role-name>manger</role-name>
<role-name>east</role-name>
</security-role>
<method-permission>
<role-name>manager</role-name>
<role-name>east</role-name>
<method>
<ejb-name>accountsPayable</ejb-name>
<method-name>getReceipts</method-name>
</method>
</method-permission>
...
</assembly-descriptor>
...
weblogic-ejb-jar.xml entries:
<security-role-assignment>
<role-name>manager</role-name>
<global-role/>
...
</security-role-assignment>
...
For information about how to use the Administration Console to configure security for EJBs, See Managing WebLogic Security.
Adding Programmatic Security to EJBs
To implement programmatic security in EJBs you use the javax.ejb.EJBContext.getCallerPrincipal() and the javax.ejb.EJBContext.isCallerInRole() methods.
You use the getCallerPrincipal() method to determine the caller of the enterprise java bean. The javax.ejb.EJBContext.getCallerPrincipal() method obtains the java.security.principal and returns the Principal object that identifies the caller. You can use the java.lang.Class.getName() method to retrieve the current user's name and then do a lookup to determine whether the user has the privileges needed to access the resource.
For more information about how to use the getCallerPrincipal() method, see http://java.sun.com/j2ee/tutorial/1_3-fcs/doc/Security5.html.
The isCallerInRole() method is used to determine if the caller (the current user) has been assigned a Role that is authorized to perform actions on the WebLogic Server resources in that thread of execution. For example, the method javax.ejb.EJBContext.isCallerInRole("admin")will return true if the current user has admin privileges.
For more information about how to use the isCallerInRole() method, see http://java.sun.com/j2ee/tutorial/1_3-fcs/doc/Security5.html.
For Javadoc for the isCallerInRole() method, see http://java.sun.com/products/ejb/javadoc-1.1/javax/ejb/EJBContext.html#isCallerInRole(java.lang.String).