You can protect enterprise bean methods by assigning security
roles to them. Before you assign security roles, you need to know
which Enterprise JavaBeans (EJB) methods need
protecting and how to protect them.
About this task
You can assign a set of EJB methods to a set of roles.
When an EJB method is secured by associating a set of roles, grant
at least one role in that set so that you can access that method.
To exclude a set of EJB methods from access, mark the set excluded.
You can give everyone access to a set of enterprise beans methods
by clearing those methods. You can run enterprise beans as a different
identity, using the runAs identity, before invoking other enterprise
beans.
Note: This procedure might not match the steps that are
required when using your assembly tool, or match the version of the
assembly tool that you are using. You should follow the instructions
for the tool and version that you are using. For more information
about using assembly tools see the assembly tool information center.
To
secure enterprise bean applications, follow these steps:
Procedure
- In an assembly tool, import your Enterprise JavaBeans (EJB) Java Archive (JAR) file or an application archive
(EAR) file that contains one or more web modules.
See
the information about importing an EJB JAR file or importing an enterprise
application EAR file in the Rational Application Developer documentation.
- In the Project Explorer, click EJB Projects directory
and click the name of your application.
- Right-click the deployment descriptor and click Open
with > Deployment Descriptor Editor. If you
selected an enterprise bean .jar file, an EJB deployment
descriptor editor opens. If you select an application .ear file,
an application deployment descriptor editor opens. To see online information
about the editor, press F1 and click the editor name.
- Create security roles. You can create security
roles at the application level or at the EJB module level. If you
create a security role at the EJB module level, the role displays
in the application level. If a security role is created at the application
level, the role does not display in all the EJB modules. You can copy
and paste one or more EJB module security roles that you create at
application level:
- Create a role at an EJB module level. In an EJB deployment
descriptor editor, click the Assembly tab. Under Security Roles,
click Add. In the Add Security Role wizard, name and describe
the security role and click Finish.
- Create a role at the application level. In an application
deployment descriptor editor, select the Security tab. Under
the list of security roles, click Add. In the Add Security
Role wizard, name and describe the security role; then click Finish.
- Create method permissions. Method permissions
map one or more methods to a set of roles. An enterprise bean has
four types of methods: home methods, remote methods, LocalHome methods
and local methods. You can add permissions to enterprise beans on
the method level. You cannot add a method permission to an enterprise
bean unless you already have one or more security roles defined. For
Version 2.0 EJB projects, an unselected option specifies that the
selected methods from the selected beans do not require authorization
to run. To add a method permission to an enterprise bean:
- On the Assembly tab of an EJB deployment descriptor
editor, under Method Permissions, click Add. The Add
Method Permission wizard is opened.
- Select a security role from the list of roles found
and click Next.
- Select one or more enterprise beans from the list of
beans found. You can click Select All or Deselect All to
select or clear all of the enterprise beans in the list. Click Next.
- Select the methods that you want to bind to your security
role. The Method elements page lists all the methods that are associated
with the enterprise beans. You can click Apply to All or Deselect
All to quickly select or clear multiple methods. The selection
affects the default (*) method for each bean only. Creating a method
permission for the exact method signature overrides the default (*)
method permission setting. The default (*) method represents all the
methods within the bean. There are default (*) methods for each interface
as well. By not selecting all of the individual methods in the tree,
you can set other permissions on the remaining methods.
- Click Finish.
After the method permission is created, you can see the new
method permission in the tree. Expand the tree to see the bean and
the methods that are defined in the method permission.
- Exclude user access to methods. Users cannot
access excluded methods. Any method in the enterprise beans that is
not assigned to a role or that is not excluded, is cleared during
the application installation by the deployer.
- On the Assembly tab of an EJB deployment descriptor
editor, under Excludes List, click Add. The Exclude
List wizard is opened.
- Select one or more enterprise beans from the list of
beans found and click Next.
- Select one or more of the method elements for the security
identity and click Finish.
- Map the security-role-ref and role-name to the role-link. When developing enterprise beans, you can create the security-role-ref
element. The security-role-ref element contains only the role-name
field. The role-name field determines if the caller is in a specified
role(isCallerInRole()) role and contains the name of the role that
is referenced in the code. Because you create security roles during
the assembly stage, the developer uses a logical role name in
the role-name field and provides enough information in the Description field
for the assembler to map the actual role (role-link). The security-role-ref
element is located at the EJB level. Enterprise beans can have zero
or more security-role-ref elements.
- On the Reference tab of an EJB deployment descriptor
editor, under the list of references, click Add. The Add Reference
wizard is opened.
- Select Security role reference and click Next.
- Name the security role reference, select a security
role to link the reference to, describe the security role reference,
and click Finish.
- Map every role-name that is used during development
to the role (role-link) using the previous steps.
- Specify the RunAs identity for enterprise bean components. The RunAs identity of the enterprise bean is used to invoke
the next enterprise beans in the chain of EJB invocations. When the
next enterprise beans are invoked, the RunAsIdentity identity passes
to the next enterprise beans for performing an authorization check
on the next enterprise bean. If the RunAs identity is not specified,
the client identity is propagated to the next enterprise bean. The
RunAs identity can represent each of the enterprise beans or can represent
each method in the enterprise beans.
- On the Access tab of an EJB deployment descriptor
editor, next to the Security Identity (Bean Level) field, click Add.
The Add Security Identity wizard is opened.
- Select the appropriate run as mode, describe the security
identity, and click Next. Select the Use identity
of caller mode to instruct the security service to not make changes
to the credential settings for the principal. Select
the Use identity assigned to specific role (below) mode to
use a principal that is assigned to the specified security role for
running the bean methods. This association is part of the application
binding in which the role is associated with the user ID and password
of a user who is granted that role. If you select the Use identity
assigned to specific role (below) mode , you must specify a role
name and role description.
- Select one or more enterprise beans from the list of
beans found and click Next. If Next is unavailable, click Finish.
- Optional: On the Method elements page, select
one or more of the method elements for the security identity and click Finish.
- Close the deployment descriptor editor and, when prompted,
click Yes to save the changes.
Results
After securing an EJB application, the resulting
.jar file
contains security information in its deployment descriptor. The security
information of the EJB modules is stored in the
ejb-jar.xml file.
What to do next
After securing an EJB application using an assembly tool,
you can install the EJB application using the administrative console.
During the installation of a secured EJB application, follow the steps
in the topic, Deploying secured applications, to complete the task
of securing the EJB application.