Configuring EJB 3.0 Security Options

In an EJB 3.0 application, you can use the javax.annotation.security annotations defined in JSR250 to configure security options on EJB 3.0 session beans.

Table 22-2 summarizes the security annotations that OC4J supports. For an example of how to use these annotations, see "Using Annotations".

Table 22-2 Security Annotations

Annotation	Description	Applicable To
`@RunAs`	Defines the role of the application during execution in a J2EE container. The role must map to the user/group information in the container's security realm. For more information, see "Specifying the runAs Security Identity".	Class
`@RolesAllowed`	Specifies the security roles permitted to access methods in an application. For more information, see "Specifying a Role for an EJB Method".	Class, method, or both. Method specification overrides class specification if present.
`@PermitAll`	Specifies that all security roles are allowed to invoke the specified methods. For more information, see "Specifying Unchecked Security for EJB Methods".	Class or method. Class specification applies to all methods. Method specification applies only to that method.
`@DenyAll`	Specifies that no security roles are allowed to invoke the specified methods.	Class or method. Class specification applies to all methods. Method specification applies only to that method.
`@DeclareRoles`	Specifies the security roles used by the application.	Class

When using @PermitAll, @DenyAll and @RolesAllowed annotations, observe the following restrictions:

@PermitAll, @DenyAll, and @RolesAllowed annotations must not be applied on the same method or class.
In the following cases, the method level annotations take precedence over the class level annotation:
- @PermitAll is specified at the class level and @RolesAllowed or @DenyAll are specified on methods of the same class
- @DenyAll is specified at the class level and @PermitAll or @RolesAllowed are specified on methods of the same class
- @RolesAllowed is specified at the class level and @PermitAll or @DenyAll are specified on methods of the same class

Note:

You can download an EJB 3.0 security annotation code example from: http://www.oracle.com/technology/tech/java/oc4j/ejb3/howtos-ejb3/howtoejb30security/doc/how-to-ejb30-security-ejb.html.

Using Annotations

Example 22-10 shows how to use the @RolesAllowed annotation. For more information and examples, see the JSR250 specification.

Example 22-10 @RolesAllowed

@RolesAllowed("Users")
public class Calculator 
{
    @RolesAllowed("Administrator")
    public void setNewRate(int rate) 
    {
    ...
    }
}