Security in EJB

Security issues in EJBs are handled almost completely in the deployment descriptor .This allows changes in security rules without rewriting or recompiling Java code.

The primary concept for EJB security is that of “roles”.  A user may be in one or more roles.  It is only roles that have particular access rights, not users.  So for instance, the “administrator” role might have certain access right, that the “client” roles might not.  If a user is switched from being a “client” to an “administrator” (or is given both roles), that user will then have access to all the methods accessible to the “administrator” role.

Each method can be restricted based upon roles.  The restrictions are listed in the <assembly-descriptor> tag.  First of all, all roles must be listed.  Then for each method, the access rights are listed by role.  An example is shown below:

<assembly-descriptor>
 <security-role>
 <role-name>administrator</role-name>
 </security-role>
 <security-role>
 <role-name>client</role-name>
 </security-role>
 <method-permission>
 <role-name>administrator</role-name>
 <role-name>client</role-name>
 <method>
 <ejb-name>StockQuotes</ejb-name>
 <method-name>buy</method-name>
 </method>
 <method>
 <ejb-name>StockQuotes</ejb-name>
 <method-name>getPrice</method-name>
 </method>
 </method-permission>
 </assembly-descriptor>

Each method-permission tag may list one or more role names, followed by one or more methods that are accessible for that role.  The “*” character may be used to specify method names (indicating all methods.)  For multiple methods with the same name, the EJB specifications allow detailed parameter lists and interface type to identify methods uniquely, but this is outsie the scope of this tutorial — check reference material if you need to do this.

The actual mapping from user names to security roles, and the specification of user names and passwords is application-server dependent.

Exercise:  Add a set of security roles to the StockQuotes or the bank-account EJB (and rebuild and redeploy the EJB.)  Check application server documentation to find out how to specify usernames and passwords.  Test the security by providing incorrect as well as correct usernames and passwords.  Check to see how this works in in linked EJBs, when the bank-account EJB calls a method in the StockQuotes EJB.  What happens if the username/password provided is ok for the first but not for the called method in the second (linked) EJB, and vice versa?

Further learning

This site should have provided sufficient material to get started with EJB programming.  It is not meant to be a reference.  Instead it is meant to provide sufficient exposure to most of the important concepts, so that EJBs can be used in useful ways and also so that detailed reference material will become easy to understand.

For further and in-depth detailed learning, the specifications for EJB can be downloaded from
Sun Microsystem’s EJB specifications page.