Saturday, February 19, 2011

EJB 3.1 Security example

I have been playing with different bean types from EJB3.1. EE6 and really improved JEE specs, EJB has been around for sometime now and until now its been really hard for developer to manage them with interfaces, deployment descriptor etc.
EE6 introduced new era of EJB3.1 that I think this should make life easy for developer (who wants to use EJBs). And surely annotations will reduce more code base in applications.
I have not been big fan of EJBs, that MIGHT change now as EJBs now more or less look like POJOs.
Let me show you how easy it is now to write EJB. Here's security EJB example from EJB3.1

First we have write EJB code with different security annotations. I have written Servlets to test it with EJB injection in to Servlet.
This example has been tested in GlassFish, to run this you need to have Global security set up and also you need to map role with defined users, in this case its "Authorized"...

here you go..

import javax.annotation.Resource;
import javax.annotation.security.DeclareRoles;
import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed;
import javax.ejb.LocalBean;
import javax.ejb.SessionContext;
import javax.ejb.Stateless;
/**
* Session Bean implementation class MathSecTestEJb
*/
@Stateless
@LocalBean
@DeclareRoles({"Authorized"})
public class MathSecTestEJb {
/**
* Default constructor.
*/
public MathSecTestEJb() {
// TODO Auto-generated constructor stub
}

@Resource SessionContext ctx;
@RolesAllowed("Authorized")
public void printRoleName(){
System.out.println(ctx.getCallerPrincipal().getName());
}

@PermitAll
public int addNumber(int a, int b){
return a+b;
}
}
import java.io.IOException;
import javax.annotation.security.RolesAllowed;
import javax.ejb.EJB;
import javax.servlet.ServletException;
import javax.servlet.annotation.HttpConstraint;
import javax.servlet.annotation.ServletSecurity;
import javax.servlet.annotation.ServletSecurity.TransportGuarantee;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import vk.test.secejb.MathSecTestEJb;
/**
* Servlet implementation class MathSecServlet
*/
@WebServlet("/MathSecServlet")
@ServletSecurity(
@HttpConstraint(rolesAllowed = {"Authorized"}))
@RolesAllowed({"Authorized"})
public class MathSecServlet extends HttpServlet {
private static final long serialVersionUID = 1L;

/**
* @see HttpServlet#HttpServlet()
*/
public MathSecServlet() {
super();
// TODO Auto-generated constructor stub
}
/**
* @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
*/
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
// TODO Auto-generated method stub
doPost(request,response);
}
/**
* @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
*/
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
// TODO Auto-generated method stub
processNumber(request, response);
processRole(request, response);
}

@EJB MathSecTestEJb mathejb;
public void processNumber(HttpServletRequest request, HttpServletResponse response) throws IOException{
response.getOutputStream().println(mathejb.addNumber(5, 10));
}

@EJB MathSecTestEJb mathej;
@RolesAllowed({"Authorized"})
public void processRole(HttpServletRequest request, HttpServletResponse response) throws IOException{
mathej.printRoleName();
}

}

1 comment:

  1. not enough, how to set up Global security please.

    ReplyDelete