Security

Provided by the CDI javax.annotation.security package, it contains all we need to ensure an enterprise component as an EJB or a servlet. With these annotations, each bean can be authorized with default or custom roles by simply adding them in the bean that you want authorized. See now how to use these annotations. We need an EJB container because at difference of Weld it already works under an authentication and authorization system.

Start with an interface:

public interface Caller {
       <V> V call(Callable<V> callable) throws Exception;
}

And two actors, the manager and the employee representing with implementations of the Caller interface. The manager runs with a role called Manager:

@RunAs("Manager")
public class ManagerBean implements Caller {
   @PermitAll
   public <V> V call(Callable<V> callable) throws Exception {
       return callable.call();
   }
}

And the employee with a role called Employee:

@RunAs("Employee")
public class EmployeeBean implements Caller {
   @PermitAll
   public <V> V call(Callable<V> callable) throws Exception {
      return callable.call();
   }
}

Add a third bean that represents actions to do:

public class Movies {
     private List<Movie> movies = new ArrayList<Movie>();
     @RolesAllowed({ "Employee", "Manager" })
     public void addMovie(Movie movie) throws Exception {
          movies.add(movie);
     }
     @RolesAllowed({ "Manager" })
     public void deleteMovie(Movie movie) throws Exception {
           movies.remove(movie);
     }
     @PermitAll
     public List<Movie> getMovies() throws Exception {
          return movies;
     }
}

Our annotations permits you to assign roles to the operations. In this case, the manager can add a movie and delete it. The employee can add a movie but they cannot delete it. Both can read the list of movies.

Now execute the injection:

@EJB(mappedName = "java:module/Movies")
private Movies movies;
@EJB(mappedName = "java:module/ManagerBean")
private Caller manager;
@EJB(mappedName = "java:module/EmployeeBean")
private Caller employee;

And execute the addition of movies through the manager role:

manager.call(new Callable<Object>() {
      public Object call() throws Exception {
              Movie movie1 = new Movie("Sabina Guzzanti", "La trattativa", 2014);
              movies.addMovie(movie1);
              List<Movie> list = movies.getMovies();
              movies.deleteMovie(movie1);
                     return null;
              }
      });
}

It normally works.

Now execute the operation using the employee role:

employee.call(new Callable<Object>() {
      public Object call() throws Exception {
            Movie movie1 = new Movie("Sabina Guzzanti", "La trattativa", 2014);
            movies.addMovie(movie1);
            List<Movie> list = movies.getMovies();
            movies.deleteMovie(movie1);
            return null;
      }
});

It will fail to delete the movie, throwing an EJBAccessException!

We can try to execute an operation of the Movie class through an unauthorized user too:

movies.addMovie(new Movie("Sabina Guzzanti", "La trattativa", 2014));

It again will fail throwing the EJBAccessException exception.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.135.183.89