Security annotations and authorization applications in the GlassFish and Java EE 5 SDK

Source: Internet
Author: User
Tags comments web services glassfish

Security is important for an enterprise environment. In the Java EE 5/glassfish environment, you can implement security in the following ways:

Transport Layer Security (TLS)/Secure Sockets Layer (SSL) technology

Authentication (authentication) and authorization (Authorization)

Message-Layer Security (for WEB services in GlassFish only)

This article discusses authentication and authorization. References [1], [2], and [3] discuss how to establish an SSL environment for Enterprise JavaBeans and Web services on both the client and server side. Message-Layer Security for WEB services will be discussed in future articles.

The authentication service generally achieves the purpose of verifying the user's identity by requiring the user to enter a user name and password. In the Java EE environment, authentication is associated with the domain (realm). Domains can store user identity information in a variety of ways, including files, LDAP directories, and even databases accessed through JDBC (see resources [4]). It can also work with the Solaris Pluggable authentication module (pluggable authentication Modules, PAM) framework.

The licensing service performs an access control authorization operation based on the software that is running and the identity of the user running the software. Each time a user logs on, the application assigns him or her a set of permissions.

Before Java EE 5, if you wanted to use authorization in an application, you would need to specify authorization information in the application Deployment descriptor Ejb-jar.xml or Web.xml. One of the important improvements in Java EE 5 is the simplification of Java EE application development. Starting with Java EE 5, developers can specify annotations in Java source files without adding metadata to the deployment descriptor. Annotations simplify the development of Java EE applications, shorten the development cycle, and reduce the total cost of ownership.

JSR 250 (see resources [5]) defines the common annotations in the Java platform. This article discusses the security annotations defined in JSR 250 and demonstrates how to implement authentication and authorization through them in your application for security.

Basic definitions and examples

A note (Annotation) is a special modifier that can be used in conjunction with other modifiers. Comments are made up of the @ symbol, the annotation type, and the list of element values that are enclosed in parentheses.

This section discusses the common security annotations defined by JSR 250. There are 5 kinds (see resources [6]):

@PermitAll, @DenyAll, and @RolesAllowed annotations are defined for the specified EJB business method permissions. @DeclareRoles and @RunAs are TYPE-level annotations that specify the metadata associated with the role.

For WEB modules, you still need to define a <security-constraint> in the Web.xml application deployment descriptor to add authorization constraints, similar to the Java EE 1.4. In the Java EE 5 environment, permissions-related annotations are defined only for EJB modules. The following table summarizes the basic usage of these annotations. For more information, see the JSR 250 specification (reference [5]).

Comments Goal EJB or its superclass Servlet or Web Library Describe
Type Method
@PermitAll X X X Indicates that a method or all business methods of an EJB are allowed to be accessed by all users.
@DenyAll X X Indicates that a method of an EJB is not allowed to be accessed by any user.
@RolesAllowed X X X Indicates that a method or all business methods of an EJB are allowed to be accessed by users in the role list.
@DeclareRoles X X X Define roles for security checks for use by Ejbcontext.iscallerinrole, Httpservletrequest.isuserinrole, and Webservicecontext.isuserinrole.
@RunAs X X (not applicable to non-EJB superclass) X (for Servlet only) Specifies the Run-as role of a component.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.