Prev | Next | J2EETM Developer's Guide
Security |
A J2EE group also represents a category of users, but it has a different scope than a role. A J2EE group is designated for the entire J2EE server, whereas a role covers only a specific application in a J2EE server.
To create a role for an application, you declare it for the EJB .jar or web component (.war) files contained in the application. For example, to create a role for an enterprise bean, follow this procedure in the Application Deployment Tool:
1. In the tree view, select the enterprise bean's EJB .jar file.
2. In the Roles tabbed pane, click Add.
3. In the table, enter values for the Name and Description fields.
The following table shows how you might define the method permissions of an Account bean. Managers and tellers may create and remove accounts. Only managers are allowed to audit accounts. Customers may credit and debit their accounts and may transfer funds. In the table, an "X" indicates that the role may invoke the method, and a "0" indicates that permission is denied.
Method Name
|
Manager
|
Teller
|
Customer
|
---|---|---|---|
create | X | X | 0 |
remove | X | X | 0 |
audit | X | 0 | 0 |
credit | 0 | 0 | X |
debit | 0 | 0 | X |
transfer | 0 | 0 | X |
You specify method permissions by mapping roles to methods with the Application Deployment Tool:
1. In the tree view, select the enterprise bean.
2. Select the Security tabbed pane.
3. In the Method Permissions table, select a role's checkbox if that role should be allowed to invoke a method.
Using the Application Deployment Tool, the administrator maps roles to J2EE users and groups by following these steps:
1. In the tree view, select the application.
2. In the Security tabbed pane, select the appropriate role from the Role Name list.
3. Click Add.
4. In the Users dialog box, select the users and groups that should belong to the role. (The users and groups were created with the command-line realmtool
.)
By default, the Role Name table assigns the ANYONE role to a method. The guest
user, which is anonymous and unauthenticated, belongs to the ANYONE role. Therefore, if you do not map the roles, any user may invoke the methods of an enterprise bean.