Java

Feb. 7, 2009, 8:02 p.m.
posted by hashspark

The RunAs Security Identity




The RunAs Security Identity

In addition to specifying the roles that have access to an enterprise bean's methods, the deployer can also specify the runAs role for the entire enterprise bean. While the @RolesAllowed annotation and <method-permission> elements specify which roles have access to the bean's methods, runAs specifies the role under which the method will run. In other words, the runAs role is used as the enterprise bean's identity when it tries to invoke methods on other beansand this identity isn't necessarily the same as the identity that's currently accessing the bean. The @javax.annotation.security.RunAs annotation is used to specify this special role. Although they are not allowed to use method permissions, message-driven beans can use the @RunsAs feature:

package javax.annotation.security;

public @interface RunAs {
   String value( );
}

@RunAs could be used to simplify our role mapping for the ProcessPayment EJB. We could mark our travelAgentBean to run as an AUTHORIZED_MERCHANT so that we would not have to map any of the TRavelAgentBean's roles to the ProcessPayment EJB's roles. This could be especially important if a third-party vendor bought the ProcessPayment EJB from Titan Cruises. Let's look at how TRavelAgentBean would use the @RunAs annotation:

package com.titan.travelagent;

import javax.ejb.*;
import javax.annotation.security.*;

@Stateful
@RunAs("AUTHORIZED_MERCHANT")
public class TravelAgentBean implements TravelAgentRemote
{
...
}

This can also be expressed in ejb-jar.xml:

<ejb-jar version="3.0">
  <enterprise-beans>
    <session>
        <ejb-name>TravelAgentBean</ejb-name>
        <security-identity>
            <run-as>
                <role-name>AUTHORIZED_MERCHANT</role-name>
            </run-as>
        </security-identity>
    </session>
  </enterprise-beans>
</ejb-jar>

The <security-identity> element is a subelement of the session bean or message-driven bean for which you are declaring a <run-as> element. The <run-as> element defines the role you want to be assigned to the EJB after the caller has been successfully authenticated and authorized.

To specify that an enterprise bean will execute under the caller's identity rather than a propagated run-as identity, the <security-identity> role contains a single empty element, <use-caller-identity/>. The following declarations specify that the EmployeeService EJB should always execute under the caller's identity:

<enterprise-beans>
    <entity>
        <ejb-name>EmployeeService</ejb-name>
        <security-identity>
<user-caller-identity/>
        </security-identity>
    </entity>
</enterprise-beans>

The use of <security-identity> applies to session beans. Message-driven beans have only a runAs identity; they never execute under the caller identity because there is no "caller." The messages that a message-driven bean processes are not considered calls, and the clients that send them are not associated with the messages. With no caller identity to propagate, message-driven beans must always specify a runAs security identity if they interact with other secured session beans.


 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows