About Question enthuware.oce-ejbd.v6.2.603 :

Moderator: admin

Post Reply
himaiMinh
Posts: 358
Joined: Fri Nov 29, 2013 8:26 pm
Contact:
Contact himaiMinh

Re: About Question enthuware.oce-ejbd.v6.2.603 :

Post by himaiMinh »

I am not sure if that will be on the exam.

The JEE tutorial says at http://docs.oracle.com/javaee/5/tutorial/doc/bnbyl.html
Defining Security Roles
....
You can augment the set of security roles defined for the application by annotations using the security-role deployment descriptor element to define security roles, where you use the role-name element to define the name of the security role.
However, the specification says the method permission overrides the annotations.

As the example shown in my previous post, I use GlassFish 3.1.2 to implement the question in ejbd.v6.2.616.
The dd defines customer as the role to access the two doStuff methods.
In one of the doStuff() method, it is annotated as @RolesAllowed("user").
As I tried, a user role is not allowed to access doStuff() as the dd overrides the role by customer.

I wonder this feature may be application server specific. Maybe, GlassFish uses dd to override annotations. Maybe, other servers uses dd to augment annotations.
Top
admin
Site Admin
Posts: 10386
Joined: Fri Sep 10, 2010 9:26 pm
Contact:
Contact admin

Re: About Question enthuware.oce-ejbd.v6.2.603 :

Post by admin »

himaiMinh wrote:I wonder this feature may be application server specific. Maybe, GlassFish uses dd to override annotations. Maybe, other servers uses dd to augment annotations.
Yes, that is possible.
Top
henrid
Posts: 31
Joined: Sun Oct 13, 2013 1:20 pm
Contact:
Contact henrid

Re: About Question enthuware.oce-ejbd.v6.2.603 :

Post by henrid »

One thing is still not clear to me.
If a class has @RolesAllowed("USER") and @DeclareRoles("ADMIN"), does only USER has access to its methods, or also ADMIN?
Thus does @DeclareRoles imply @RolesAllowed implicitly or not?
Otherwise I would expect:
@RolesAllowed("USER","ADMIN") and @DeclareRoles("ADMIN") in order to make using ADMIN available for isCallerInRole()
If @DeclareRoles in itself does not allow a role for the method, it should be duplicated in @RolesAllowed
Top
admin
Site Admin
Posts: 10386
Joined: Fri Sep 10, 2010 9:26 pm
Contact:
Contact admin

Re: About Question enthuware.oce-ejbd.v6.2.603 :

Post by admin »

@RolesAllowed determines which roles can access the method , while @DeclareRoles determines the result of the method call isUserInRole . ( https://docs.oracle.com/cd/E19316-01/81 ... index.html )

In your example only USER is allowed in to invoke the method isUserInRole("ADMIN") will return false. So yes, I think the roles declared in @DeclareRoles should be present in @RolesAllowed.
Top
henrid
Posts: 31
Joined: Sun Oct 13, 2013 1:20 pm
Contact:
Contact henrid

Re: About Question enthuware.oce-ejbd.v6.2.603 :

Post by henrid »

Thanks. That what I was thinking too. Because what's the point of checking a user in the role, when it cannot propagate into the method either.
At least, the source code calls it "CrazyBean" :lol:
Top
JOHNATHON
Posts: 1
Joined: Wed Apr 17, 2019 7:01 am
Contact:
Contact JOHNATHON

Re: About Question enthuware.oce-ejbd.v6.2.603 :

Post by JOHNATHON »

Crazy Bean :lol: :lol:
Top
Post Reply

Return to “EJB/JPA Certification (SCBCD/OCE-JPA/OCE-EJBD) 1Z0-895/1Z0-898”

Who is online

Users browsing this forum: No registered users and 4 guests