You can protect enterprise bean methods by assigning security roles to them. Before you
assign security roles, you need to know which Enterprise JavaBeans (EJB) methods need
protecting and how to protect them.
About this task
You can assign a set of EJB methods to a set of roles. When an EJB method is secured by
associating a set of roles, grant at least one role in that set so that you can access that method.
To exclude a set of EJB methods from access, mark the set excluded. You can give everyone
access to a set of enterprise beans methods by clearing those methods. You can run enterprise beans
as a different identity, using the runAs identity, before invoking other enterprise beans.
Note: This procedure might not match the steps that are required when using your assembly tool, or
match the version of the assembly tool that you are using. You should follow the instructions for
the tool and version that you are using. For more information about using assembly tools, see the
assembly tool documentation.
To secure enterprise bean applications, follow these steps:
Procedure
-
In an assembly tool, import your Enterprise JavaBeans (EJB) Java™ Archive (JAR) file or an
application archive (EAR) file that contains one or more web modules.
See the information about importing an EJB JAR file or importing an enterprise application EAR
file in the Rational Application Developer documentation.
-
In the Project Explorer, click EJB Projects directory and click the name of your
application.
-
Right-click the deployment descriptor and click Open with > Deployment Descriptor
Editor.
If you selected an enterprise bean .jar file, an EJB deployment descriptor
editor opens. If you select an application .ear file, an application deployment descriptor
editor opens. To see online information about the editor, press F1 and click the editor
name.
-
Create security roles.
You can create security roles at the application level or at the EJB module level. If you
create a security role at the EJB module level, the role displays in the application level. If a
security role is created at the application level, the role does not display in all the EJB modules.
You can copy and paste one or more EJB module security roles that you create at application
level:
- Create a role at an EJB module level. In an EJB deployment descriptor editor, click the
Assembly tab. Under Security Roles, click Add. In the Add Security Role wizard, name
and describe the security role and click Finish.
- Create a role at the application level. In an application deployment descriptor editor,
select the Security tab. Under the list of security roles, click Add. In the Add
Security Role wizard, name and describe the security role; then click Finish.
-
Create method permissions.
Method permissions map one or more methods to a set of roles. An enterprise bean has four
types of methods: home methods, remote methods, LocalHome methods and local methods. You can add
permissions to enterprise beans on the method level. You cannot add a method permission to an
enterprise bean unless you already have one or more security roles defined. For Version 2.0 EJB
projects, an unselected option specifies that the selected methods from the selected beans do not
require authorization to run. To add a method permission to an enterprise bean:
-
On the Assembly tab of an EJB deployment descriptor editor, under Method
Permissions, click Add. The Add Method Permission wizard is opened.
-
Select a security role from the list of roles found and click Next.
-
Select one or more enterprise beans from the list of beans found. You can click Select
All or Deselect All to select or clear all of the enterprise beans in the list. Click
Next.
-
Select the methods that you want to bind to your security role. The Method elements page lists
all the methods that are associated with the enterprise beans.
You can click Apply to All or Deselect All to quickly select or clear multiple
methods. The selection affects the default (*) method for each bean only. Creating a method
permission for the exact method signature overrides the default (*) method permission
setting. The default (*) method represents all the methods within the bean. There are default (*)
methods for each interface as well. By not selecting all of the individual methods in the tree, you
can set other permissions on the remaining methods.
-
Click Finish.
After the method permission is created, you can see the new method permission in the tree.
Expand the tree to see the bean and the methods that are defined in the method permission.
-
Exclude user access to methods.
Users cannot access excluded methods. Any method in the enterprise beans that is not assigned
to a role or that is not excluded, is cleared during the application installation by the
deployer.
-
On the Assembly tab of an EJB deployment descriptor editor, under Excludes List,
click Add. The Exclude List wizard is opened.
-
Select one or more enterprise beans from the list of beans found and click Next.
-
Select one or more of the method elements for the security identity and click
Finish.
-
Map the security-role-ref and role-name to the role-link.
When developing enterprise beans, you can create the security-role-ref element. The
security-role-ref element contains only the role-name field. The role-name field determines if the
caller is in a specified role(isCallerInRole()) role and contains the name of the role that is
referenced in the code. Because you create security roles during the assembly stage, the developer
uses a logical role name in the role-name field and provides enough information in the
Description field for the assembler to map the actual role (role-link). The security-role-ref
element is located at the EJB level. Enterprise beans can have zero or more security-role-ref
elements.
-
On the Reference tab of an EJB deployment descriptor editor, under the list of
references, click Add. The Add Reference wizard is opened.
-
Select Security role reference and click Next.
-
Name the security role reference, select a security role to link the reference to, describe the
security role reference, and click Finish.
-
Map every role-name that is used during development to the role (role-link) using the previous
steps.
-
Specify the RunAs identity for enterprise bean components.
The RunAs identity of the enterprise bean is used to invoke the next enterprise beans in the
chain of EJB invocations. When the next enterprise beans are invoked, the RunAsIdentity identity
passes to the next enterprise beans for performing an authorization check on the next enterprise
bean. If the RunAs identity is not specified, the client identity is propagated to the next
enterprise bean. The RunAs identity can represent each of the enterprise beans or can represent each
method in the enterprise beans.
-
On the Access tab of an EJB deployment descriptor editor, next to the Security
Identity (Bean Level) field, click Add. The Add Security Identity wizard is opened.
-
Select the appropriate run as mode, describe the security identity, and click Next.
Select the Use identity of caller mode to instruct the security service to not make
changes to the credential settings for the principal.
Select the Use identity assigned to specific role mode to use a principal that is
assigned to the specified security role for running the bean methods. This association is part of
the application binding in which the role is associated with the user ID and password of a user who
is granted that role. If you select the Use identity assigned to specific role mode , you
must specify a role name and role description.
-
Select one or more enterprise beans from the list of beans found and click Next. If Next
is unavailable, click Finish.
- Optional:
On the Method elements page, select one or more of the method elements for the security
identity and click Finish.
-
Close the deployment descriptor editor and, when prompted, click Yes to save the
changes.
Results
After securing an EJB application, the resulting .jar file contains security
information in its deployment descriptor. The security information of the EJB modules is stored in
the ejb-jar.xml file.
What to do next
After securing an EJB application using an assembly tool, you can install the EJB
application using the administrative console. During the installation of a secured EJB application,
follow the steps in the topic, Deploying secured applications, to complete the task of securing the
EJB application.