The Java EE 6 Tutorial

Example: Securing an Enterprise Bean with Programmatic Security

This example demonstrates how to use the getCallerPrincipal and isCallerInRole methods with an enterprise bean. This example starts with a very simple EJB application, converter, and modifies the methods of the ConverterBean so that currency conversion will occur only when the requester is in the role of TutorialUser.

The completed version of this example can be found in the directory tut-install/examples/security/converter-secure. This example is based on the unsecured enterprise bean application, converter, which is discussed in Chapter 15, Getting Started with Enterprise Beans and is found in the directory tut-install/examples/ejb/converter/. This section builds on the example by adding the necessary elements to secure the application by using the getCallerPrincipal and isCallerInRole methods, which are discussed in more detail in Accessing an Enterprise Bean Caller’s Security Context.

    In general, the following steps are necessary when using the getCallerPrincipal and isCallerInRole methods with an enterprise bean. In the example application included with this tutorial, many of these steps have been completed for you and are listed here simply to show what needs to be done should you wish to create a similar application.

  1. Create a simple enterprise bean application.

  2. Set up a user on the GlassFish Server in the file realm, in the group TutorialUser, and set up default principal to role mapping. To do this, follow the steps in To Set Up Your System for Running the Security Examples.

  3. Modify the bean to add the getCallerPrincipal and isCallerInRole methods.

  4. If the application contains a web client that is a servlet, specify security for the servlet, as described in Specifying Security for Basic Authentication Using Annotations.

  5. Build, package, deploy, and run the application.

Modifying ConverterBean

The source code for the original ConverterBean class was modified to add the if..else clause that tests whether the caller is in the role of TutorialUser. . If the user is in the correct role, the currency conversion is computed and displayed. If the user is not in the correct role, the computation is not performed, and the application displays the result as 0. The code example can be found in the following file:

tut-install/examples/ejb/converter-secure/converter-secure-ejb/src/java/
converter/ejb/ConverterBean.java

The code snippet (with modifications shown in bold) is as follows:

package converter.ejb;

import java.math.BigDecimal;
import javax.ejb.Stateless;
import java.security.Principal;
import javax.annotation.Resource;
import javax.ejb.SessionContext;
import javax.annotation.security.DeclareRoles;
import javax.annotation.security.RolesAllowed;

@Stateless()
@DeclareRoles("TutorialUser")
public class ConverterBean{

    @Resource SessionContext ctx;
    private BigDecimal yenRate = new BigDecimal("89.5094");
    private BigDecimal euroRate = new BigDecimal("0.0081");

    @RolesAllowed("TutorialUser")
     public BigDecimal dollarToYen(BigDecimal dollars) {
        BigDecimal result = new BigDecimal("0.0");
        Principal callerPrincipal = ctx.getCallerPrincipal();
        if (ctx.isCallerInRole("TutorialUser")) {
            result = dollars.multiply(yenRate);
            return result.setScale(2, BigDecimal.ROUND_UP);
        } else {
            return result.setScale(2, BigDecimal.ROUND_UP);
        }
    }

    @RolesAllowed("TutorialUser")
    public BigDecimal yenToEuro(BigDecimal yen) {
        BigDecimal result = new BigDecimal("0.0");
        Principal callerPrincipal = ctx.getCallerPrincipal();
        if (ctx.isCallerInRole("TutorialUser")) {
             result = yen.multiply(euroRate);
             return result.setScale(2, BigDecimal.ROUND_UP);
        } else {
             return result.setScale(2, BigDecimal.ROUND_UP);
        }
    }
}

Modifying ConverterServlet

The following annotations specify security for the converter web client, ConverterServlet:

@WebServlet(name = "ConverterServlet", urlPatterns = {"/"})
@ServletSecurity(
@HttpConstraint(transportGuarantee = TransportGuarantee.CONFIDENTIAL,
    rolesAllowed = {"TutorialUser"}))

ProcedureTo Build, Package, and Deploy the Secure Converter Example Using NetBeans IDE

  1. Follow the steps in To Set Up Your System for Running the Security Examples.

  2. In NetBeans IDE, select File->Open Project.

  3. In the Open Project dialog, navigate to:


    tut-install/examples/security/
    
  4. Select the converter-secure folder.

  5. Select the Open as Main Project check box.

  6. Click Open Project.

  7. Right-click the converter-secure project and select Build.

  8. Right-click the converter-secure project and select Deploy.

ProcedureTo Build, Package, and Deploy the Secure Converter Example Using Ant

  1. Follow the steps in To Set Up Your System for Running the Security Examples.

  2. In a terminal window, go to:


    tut-install/examples/security/converter-secure/
    
  3. Type the following command:


    ant all
    

    This command both builds and deploys the example.

ProcedureTo Run the Secure Converter Example

  1. Open a web browser to the following URL:


    http://localhost:8080/converter

    An Authentication Required dialog box appears.

  2. Type a user name and password combination that corresponds to a user who has already been created in the file realm of the GlassFish Server and has been assigned to the group of TutorialUser; then click OK.

    The screen shown in Figure 15–1 appears.

  3. Type 100 in the input field and click Submit.

    A second page appears, showing the converted values.