Java security principals and roles represent identities and authorization roles, respectively. Principals and roles are usually configured in the application server in vendor-specific ways. Authenticated requests are bound to a principal during the execution.
One example of using the associated roles within the execution workflow is by using common security annotations such as @RolesAllowed. This declarative approach checks whether the principal is authorized correctly and will otherwise result in a security exception:
import javax.annotation.security.RolesAllowed;
@Stateless public class CarManufacturer { ... @RolesAllowed("worker") public Car manufactureCar(Specification spec) { ... } @RolesAllowed("factory-admin") public void reconfigureMachine(...) { ... }
Besides vendor-specific solutions, users and roles can be extended to contain domain-specific information. The Principal security type is enhanced in order to do so.
It is possible to inject the principal that is identified by its name and to provide a specialization. The container takes care of the user identification, for example, by using form-based authentication.
This approach was especially advised prior to Java EE version 8. However, modern applications will likely use identity stores to represent domain-specific user information.