J2EE^TM Developer's Guide
Security

Authorization

Authorization is the process by which the J2EE server grants or denies permission to invoke the methods of an enterprise bean. You define authorization in the enterprise bean's security attributes in three steps:

Declaring Roles

When you design an enterprise bean, you should keep in mind what types of users will access the bean. For example, an Account enterprise bean might be accessed by customers, bank tellers, and branch managers. Each of these user categories is called a role.

A J2EE group also represents a category of users, but it has a different scope than a role. A J2EE group is designated for the entire J2EE server, whereas a role covers only a specific application in a J2EE server.

To create a role for an application, you declare it for the EJB .jar or web component (.war) files contained in the application. For example, to create a role for an enterprise bean, follow this procedure in the Application Deployment Tool:

1. In the tree view, select the enterprise bean's EJB .jar file.

2. In the Roles tabbed pane, click Add.

3. In the table, enter values for the Name and Description fields.

Declaring Method Permissions

After you've defined the roles, you're ready to define the method permissions of an enterprise bean. Method permissions indicate which roles are allowed to invoke which methods.

The following table shows how you might define the method permissions of an Account bean. Managers and tellers may create and remove accounts. Only managers are allowed to audit accounts. Customers may credit and debit their accounts and may transfer funds. In the table, an "X" indicates that the role may invoke the method, and a "0" indicates that permission is denied.

TABLE 8-1 Method Permissions in an Account Bean

Method Name

Manager

Teller

Customer

create X X 0
remove X X 0
audit X 0 0
credit 0 0 X
debit 0 0 X
transfer 0 0 X

TABLE 8-1 Method Permissions in an Account Bean
Method Name	Manager	Teller	Customer
create	X	X	0
remove	X	X	0
audit	X	0	0
credit	0	0	X
debit	0	0	X
transfer	0	0	X

You specify method permissions by mapping roles to methods with the Application Deployment Tool:

1. In the tree view, select the enterprise bean.

2. Select the Security tabbed pane.

3. In the Method Permissions table, select a role's checkbox if that role should be allowed to invoke a method.

Mapping Roles to J2EE Users and Groups

When you are developing an enterprise bean, you should know the roles of your users, but you probably won't know exactly who the users will be. That's okay, because after your bean has been deployed the administrator of the J2EE server will map the roles to the J2EE users (or groups) of the default realm. In the Account bean example, the adminstrator might assign the user Sally to the Manager role, and the users Bob, Ted, and Clara to the Teller role.

Using the Application Deployment Tool, the administrator maps roles to J2EE users and groups by following these steps:

1. In the tree view, select the application.

2. In the Security tabbed pane, select the appropriate role from the Role Name list.

3. Click Add.

4. In the Users dialog box, select the users and groups that should belong to the role. (The users and groups were created with the command-line realmtool.)

By default, the Role Name table assigns the ANYONE role to a method. The guest user, which is anonymous and unauthenticated, belongs to the ANYONE role. Therefore, if you do not map the roles, any user may invoke the methods of an enterprise bean.

Prev | Next

TOC | Index