A direct mapping between the security roles specified in a bean's deployment
descriptor and individual users may not adequately control access to bean
methods. For example
- Two applications, provided by different suppliers, might use similar names
for security roles. In your enterprise, the users of each application might
be different.
- A bean could be used in more than one application. A user may be entitled
to use a particular method in one application, but not in the other.
- An application could be deployed in a test system and a production system.
Members of the test department may be permitted to use all bean methods in
the test system, but not in the production system.
To provide the degree of control that is needed in these and other cases,
you can qualify the security roles at the application level and the system
level. A security role with its qualifiers is known as a
deployed security role. Here is an example of a role name which is qualified
at both levels:
test.payroll.team_leader
- payroll qualifies the security role at the application level,
and is used to distinguish between the team_leader role in the
payroll application and the team_leader role in other applications.
- test qualifies the security role at the system level, and is
used to distinguish between the payroll.team_leader role in the
test system and the payroll.team_leader role in other systems.
At the application level, security roles are qualified by the display name, if one is specified in the deployment descriptor. If a
display name is not specified, the security roles are not qualified at the
application level. If an application level qualifier is used, a period (.) is used as the delimiter; if no qualifier is used, there is no delimiter.
At the system level, security roles are optionally qualified with a prefix
which is specified in the EJBROLEPRFX system initialization
parameter. If EJBROLEPRFX is not specified, the security roles are not qualified
at the system level. If a system level qualifier is used, a period (.) is used as the delimiter; if no qualifier is used, there is no delimiter.
This example shows how security roles defined in a bean's deployment descriptor
can be qualified:
- A bean contains three security roles: manager, team_leader, and data_entry
- The bean is used in a payroll application, with a display name of payroll. The bean is also part of a test application, which does not
have a display name.
- The payroll application is used on two production systems: the first does
not specify a prefix, while the second specifies a prefix of executive.
- The test application is used on a test system with a prefix of test1.
When the two levels of qualification are applied to the security roles
specified in the deployment descriptor, the deployed security roles are:
payroll.manager executive.payroll.manager test1.manager
payroll.team_leader executive.payroll.team_leader test1.team_leader
payroll.data_entry executive.payroll.data_entry test1.data_entry
Each
of these deployed roles can be mapped to individual users (or groups of users)
to suit the security need of the enterprise.
If a security role is not qualified at the application level, or at the
system level, then the deployed security role is the same as the security
role defined in the deployment descriptor. For example, if the bean in the
previous example is used in an application which does not have a display name,
and the application is used in a system that does not specify EJBROLEPRFX,
then the deployed security roles are:
manager
team_leader
data_entry