Hello everyone,
I have a question about the specification in chapter 12.3.2.1 of the EJB
3.2 spec (EJB 3.0 / 3.1 chapter 173.2.1).
How is the behavior if I annotate @RolesAllowed on class level of the bean
and on its super class? Does the bean class override the security
annotation of its super class?
Example 1:
@RolesAllowed(“admin”)
public class SomeClass {
public void aMethod () {...}
public void bMethod () {...}
...
}
@Stateless
@RolesAllowed(“HR”)
public class MyBean extends SomeClass implements A {
public void cMethod () {...}
...
}
My point of view is the methods “aMethod” and “bMethod” will get the
security role “HR” instead of “admin” since the methods are not annotated
with an own security role.
If this is not the behavior and the methods “aMethod” and “bMethod” keep
the role “admin” both methods must be overridden to get the new security
role “HR”.
Example 2:
@Stateless
@RolesAllowed(“HR”)
public class MyBean extends SomeClass implements A {
public void aMethod () {
super.aMethod();
}
public void bMethod () {
super.bMethod();
}
public void cMethod () {...}
...
}
Another possibility is every overridden method must be annotated with the
new role.
Example 3:
@Stateless
@RolesAllowed(“HR”)
public class MyBean extends SomeClass implements A {
@RolesAllowed(“HR”)
public void aMethod () {
super.aMethod();
}
@RolesAllowed(“HR”)
public void bMethod () {
super.bMethod();
}
public void cMethod () {...}
...
}
The last both possibilities would cause a lot of coding overhead since
every method of the bean super class declared in the business interface
must be overridden to get a security role especially if the super class
has no role annotation.
What is the correct behavior you want to specify?
Thanks by advance
Regards
Mattias