Accessing security information

Enterprise applications sometimes need the functionality to access information about the user authorization as part of the business logic. The Security API enables us to retrieve this information in a uniform way.

It contains the SecurityContext type that provides a programmatic way to retrieve information about the caller principal and its roles. The SecurityContext is injectable into any managed beans. It also integrates with the servlet authentication configuration and provides information about whether the caller is allowed to access a specific HTTP resource.

The following shows an example usage of the SecurityContext:

import javax.security.enterprise.SecurityContext;

@Stateless
public class CompanyProcesses {

    @Inject
    SecurityContext securityContext;

    public void executeProcess() {
        executeUserProcess();
        if (securityContext.isCallerInRole("admin")) {
            String name = securityContext.getCallerPrincipal().getName();
            executeAdminProcess(name);
        }
    }

    ...
}

The idea of the Security API is that it integrates with the existing functionality from previous Java EE versions. This implies, for example, that the @RolesAllowed annotation uses the same role information as the SecurityContext. Developers can continue to rely on the existing standard functionality.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.21.246.223