Several of the security-related annotations can be overridden in a deployment descriptor. This recipe examines how this is done. This can be useful when access to a method may differ depending on the server it is deployed to. Configuring access in a deployment descriptor will provide this type of flexibility.
The process for creating a deployment descriptor for security configuration includes:
- Creating an
ejb-jar.xmlfile for the EJB module - Using the
<enterprise-beans>element to define the EJB - Using the
<assembly-descriptor>to declare security roles and the method permissions - Deploying the application
Each security role is granted access to a set of classes and methods. This can be achieved through descriptors using the<method-permission> element. Roles can be assigned to all of the methods of an EJB or specific methods of an EJB. In this example, all methods of the VoucherManager EJB found in the Chapter 7, Creating the SecurityApplication recipe, will be accessible by users possessing the manager role.
Create an ejb-jar.xml file if it does not already exist. Add an<enterprise-beans> element to define the VoucherManager EJB. The<session> element identifies the class as a session EJB and the<ejb-name> element holds the name of the EJB.
<?xml version="1.0" encoding="UTF-8"?> <ejb-jar xmlns = "http://java.sun.com/xml/ns/javaee" version = "3.1" xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation = "http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_1.xsd"> <enterprise-beans> <session> <ejb-name>VoucherManager</ejb-name> </session> </enterprise-beans> ... </ejb-jar>
Next, add an<assembly-descriptor> element to the file. Within this element we will declare security roles and the methods granted access by these roles. First, add the<security-role> element which contains a<role-name> element and the name manager.
<?xml version="1.0" encoding="UTF-8"?> ... <assembly-descriptor> <security-role> <role-name>manager</role-name> </security-role> ... </assembly-descriptor> </ejb-jar>
Next, add a<method-permission> element which we will use to define the method the role can access. Within the element, add a<role-name> element with the name manager. Follow this with a<method> element. This element contains two sub-elements:<ejb-name> which should match an EJB defined earlier in the file and a<method-name> element containing the name of the method.
<?xml version="1.0" encoding="UTF-8"?> ... <assembly-descriptor> <security-role> <role-name>manager</role-name> </security-role> <method-permission> <role-name>manager</role-name> <method> <ejb-name>VoucherManager</ejb-name> <method-name>approve</method-name> </method> </method-permission> </assembly-descriptor> </ejb-jar>
If the<method-name> element contains an asterisk, then all methods of the EJB are accessible by the role.
If the method is overloaded, then the<method-params> needs to be used in conjunction with the<method-param> element to identify the method. While the approve method is not overloaded, these elements have been specified to illustrate the use of these elements.
<method-permission> <role-name>manager</role-name> <method> <ejb-name>VoucherManager</ejb-name> <method-name>approve</method-name> <method-params> <method-param></method-param> </method-params> </method> </method-permission>
Notice the<method-param> element is left empty in the example. This signifies a void argument. If the argument had not been void, then the data type for the parameter would be used such as java.lang.String or long. Each parameter of a method should have a corresponding<method-param> element.
The ejb-jar.xml file was used to configure the security roles for the VoucherManager class. Within the<assembly-descriptor> element, the manager security role was declared. The<method-permission> element was then used to associate this role with the VoucherManager's approve method. This configuration was performed by the server upon deployment of the application.