While security is an important aspect of many applications, the use of programmatic security can clutter up business logic. The use of declarative annotations has come a long way in making security easier to use and less intrusive. However, there are still times when programmatic security is necessary. When it is, then the use of interceptors can help remove the security code from the business logic.
The process for using an interceptor to enforce security involves:
- Configuring and enabling security for the application server
- Adding a @DeclareRoles to the target class and the interceptor class
- Creating a security interceptor
Configure the application to handle security as detailed in Chapter 7, Configuring the server to handle security recipe. Add the @DeclareRoles("employee") to the RegistrationManager class.
Add a SecurityInterceptor class to the packt package. Inject a SessionContext object into the class. We will use this object to perform programmatic security. Also use the @DeclareRoles annotation.
Next, add an interceptor method, verifyAccess, to the class. Use the SessionContext object and its isCallerInRole method to determine if the user is in the "employee" role. If so, invoke the proceed method and display a message to that effect. Otherwise, throw an EJBAccessException.
@DeclareRoles("employee") public class SecurityInterceptor { @Resource private SessionContext sessionContext;@AroundInvoke public Object verifyAccess(InvocationContext context) throws Exception { System.out.println("SecurityInterceptor: Invoking method: " + context.getMethod().getName()); if (sessionContext.isCallerInRole("employee")) { Object result = context.proceed(); System.out.println("SecurityInterceptor: Returned from method: " + context.getMethod().getName()); return result; } else { throw new EJBAccessException(); } } }
Execute the application. The user should be prompted for a username and password as shown in the following screenshot. Provide a user in the employee role.
The application should execute to completion.
Depending on the interceptors in place, you will console output similar to the following:
INFO: Default Interceptor: Invoking method: register
INFO: SimpleInterceptor entered: register
INFO: SecurityInterceptor: Invoking method: register
INFO: InternalMethod: Invoking method: register
INFO: register
INFO: Default Interceptor: Invoking method: create
INFO: Default Interceptor: Returned from method: create
INFO: InternalMethod: Returned from method: register
INFO: SecurityInterceptor: Returned from method: register
INFO: SimpleInterceptor exited: register
INFO: Default Interceptor: Returned from method: register
The @DeclareRoles annotation was used to specify that users in the employee role are associated with the class. The isCallerInRole method checked to see if the current user is in the employee role. When the target method is called, if the user is authorized then the InterceptorContext's proceed method is executed. If the user is not authorized, then the target method is not invoked and an exception is thrown.
Programmatic security is detailed in Chapter 7, Configuring the server to handle security recipe.