users@ejb-spec.java.net

[ejb-spec users] Re: Missing specification of inheritance of security roles annotated on EJB classes

From: Jean-Louis MONTEIRO <jeanouii_at_gmail.com>
Date: Tue, 1 Jul 2014 17:32:03 +0200

As far as I can recall this is clearly written in the specification.
There are no special rules that apply for processing @ or deployment
descriptors.

Session bean inheritance is a convenient way to reuse business code, but
the inheritance does not have any component inheritance semantics.

Jean-Louis


2014-07-01 15:33 GMT+02:00 Reza Rahman <Reza.Rahman_at_oracle.com>:

> Have you tested to see what the RI does at the moment?
>
> On 7/1/2014 4:31 AM, neuling_at_dakosy.de wrote:
>
> Hello everyone,
>
> I have a question about the specification in chapter 12.3.2.1 of the EJB
> 3.2 spec (EJB 3.0 / 3.1 chapter 173.2.1).
>
> How is the behavior if I annotate @RolesAllowed on class level of the bean
> and on its super class? Does the bean class override the security
> annotation of its super class?
>
> Example 1:
>
> @RolesAllowed(“admin”)
> public class SomeClass {
> public void aMethod () {...}
> public void bMethod () {...}
> ...
> }
>
> @Stateless
> @RolesAllowed(“HR”)
> public class MyBean extends SomeClass implements A {
> public void cMethod () {...}
> ...
> }
>
> My point of view is the methods “aMethod” and “bMethod” will get the
> security role “HR” instead of “admin” since the methods are not annotated
> with an own security role.
>
> If this is not the behavior and the methods “aMethod” and “bMethod” keep
> the role “admin” both methods must be overridden to get the new security
> role “HR”.
>
> Example 2:
>
> @Stateless
> @RolesAllowed(“HR”)
> public class MyBean extends SomeClass implements A {
> public void aMethod () {
> super.aMethod();
> }
> public void bMethod () {
> super.bMethod();
> }
> public void cMethod () {...}
> ...
> }
>
> Another possibility is every overridden method must be annotated with the
> new role.
>
> Example 3:
>
> @Stateless
> @RolesAllowed(“HR”)
> public class MyBean extends SomeClass implements A {
> @RolesAllowed(“HR”)
> public void aMethod () {
> super.aMethod();
> }
> @RolesAllowed(“HR”)
> public void bMethod () {
> super.bMethod();
> }
> public void cMethod () {...}
> ...
> }
>
>
> The last both possibilities would cause a lot of coding overhead since
> every method of the bean super class declared in the business interface
> must be overridden to get a security role especially if the super class has
> no role annotation.
>
> What is the correct behavior you want to specify?
>
>
> Thanks by advance
> Regards
> Mattias
>
>
> 


-- 
Jean-Louis
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.