J2EE^TM Developer's Guide
Security

Bean-Managed Security

The security mechanisms described in the Authentication and Authorization sections are sufficient for most J2EE applications. You control these mechanisms by declaring certain parameters with the Application Deployment Tool. Because this approach is declarative, you don't have to code your own security routines.

Some applications have special security requirements. For example, an application might make authorization decisions based on the time of day, the parameters of a call, or the internal state of an enterprise bean. Another application might restrict access based on user information stored in a database. If your application has special security requirements, you may want to take advantage of the APIs described in the following sections.

Getting the Caller's J2EE User

The getCallerPrincipal method of the EJBContext interface returns the java.security.Principal object that identifies the caller of the enterprise bean. (In this case, a principal is the same as a user.) In the following example, the getUser method of an enterprise bean returns the name of the J2EE user that invoked it:

public String getUser() {
   return context.getCallerPrincipal().getName();
}
. . .
public void setSessionContext(SessionContext context) {
   this.context = context;
}

To determine the caller of a servlet, you invoke the getUserPrincipal method.

Determining the Caller's Role

You can determine whether an enterprise bean's caller belongs to a particular role by invoking the isCallerInRole method:

boolean result = context.isCallerInRole("Customer");

You should declare the coded name (Customer) in the Security dialog box of the New Enterprise Bean wizard of the Application Deployment Tool. When you are ready to deploy the application, you must link the coded name with a role name. For example, to link the Customer coded name with the Buyer role name, you would follow these steps:

1. Select the Security tabbed pane of the enterprise bean.

2. If the Customer entry does not appear in the Coded Name column, click Add and enter Customer in that column.

3. If the Buyer role name is not listed in the Method Permissions table, click Edit Roles and add Buyer in the Editing Roles dialog box.

4. Go to the table at the top of the Security tabbed pane and locate the row that lists Customer in the Coded Name column. In that row, select Buyer from the Role Name combo box.

Because a coded name is linked to a role name, you may change the role name later on without having to change the coded name. For example, if you were to change the role name from Buyer to Shopper, you wouldn't have to change the Customer name in the code. However, you would have to relink the Customer coded name to the Shopper role name.

To determine the caller's role for a servlet, you invoke the isUserInRole method.

Prev | Next

TOC | Index