Security annotations and authorization applications in the GlassFish and Java EE 5 SDK

Security is important for an enterprise environment. In the Java EE 5/glassfish environment, you can implement security in the following ways:

Transport Layer Security (TLS)/Secure Sockets Layer (SSL) technology

Authentication (authentication) and authorization (Authorization)

Message-Layer Security (for WEB services in GlassFish only)

This article discusses authentication and authorization. References [1], [2], and [3] discuss how to establish an SSL environment for Enterprise JavaBeans and Web services on both the client and server side. Message-Layer Security for WEB services will be discussed in future articles.

The authentication service generally achieves the purpose of verifying the user's identity by requiring the user to enter a user name and password. In the Java EE environment, authentication is associated with the domain (realm). Domains can store user identity information in a variety of ways, including files, LDAP directories, and even databases accessed through JDBC (see resources [4]). It can also work with the Solaris Pluggable authentication module (pluggable authentication Modules, PAM) framework.

The licensing service performs an access control authorization operation based on the software that is running and the identity of the user running the software. Each time a user logs on, the application assigns him or her a set of permissions.

Before Java EE 5, if you wanted to use authorization in an application, you would need to specify authorization information in the application Deployment descriptor Ejb-jar.xml or Web.xml. One of the important improvements in Java EE 5 is the simplification of Java EE application development. Starting with Java EE 5, developers can specify annotations in Java source files without adding metadata to the deployment descriptor. Annotations simplify the development of Java EE applications, shorten the development cycle, and reduce the total cost of ownership.

JSR 250 (see resources [5]) defines the common annotations in the Java platform. This article discusses the security annotations defined in JSR 250 and demonstrates how to implement authentication and authorization through them in your application for security.

Basic definitions and examples

A note (Annotation) is a special modifier that can be used in conjunction with other modifiers. Comments are made up of the @ symbol, the annotation type, and the list of element values that are enclosed in parentheses.

This section discusses the common security annotations defined by JSR 250. There are 5 kinds (see resources [6]):

Javax.annotation.security.PermitAll

Javax.annotation.security.DenyAll

Javax.annotation.security.RolesAllowed

Javax.annotation.security.DeclareRoles

Javax.annotation.security.RunAs

@PermitAll, @DenyAll, and @RolesAllowed annotations are defined for the specified EJB business method permissions. @DeclareRoles and @RunAs are TYPE-level annotations that specify the metadata associated with the role.

For WEB modules, you still need to define a <security-constraint> in the Web.xml application deployment descriptor to add authorization constraints, similar to the Java EE 1.4. In the Java EE 5 environment, permissions-related annotations are defined only for EJB modules. The following table summarizes the basic usage of these annotations. For more information, see the JSR 250 specification (reference [5]).

Comments	Goal	EJB or its superclass	Servlet or Web Library	Describe
Type	Method
@PermitAll	X	X	X		Indicates that a method or all business methods of an EJB are allowed to be accessed by all users.
@DenyAll		X	X		Indicates that a method of an EJB is not allowed to be accessed by any user.
@RolesAllowed	X	X	X		Indicates that a method or all business methods of an EJB are allowed to be accessed by users in the role list.
@DeclareRoles	X		X	X	Define roles for security checks for use by Ejbcontext.iscallerinrole, Httpservletrequest.isuserinrole, and Webservicecontext.isuserinrole.
@RunAs	X		X (not applicable to non-EJB superclass)	X (for Servlet only)	Specifies the Run-as role of a component.