About Question enthuware.ocejws.v6.2.222 :

Moderators: Site Manager, fjwalraven

Post Reply
himaiMinh
Posts: 358
Joined: Fri Nov 29, 2013 8:26 pm
Contact:

About Question enthuware.ocejws.v6.2.222 :

Post by himaiMinh » Sat Apr 26, 2014 10:49 pm

From this J2EE 6 tutorial at :http://www.ce.unipr.it/people/poggi/tea ... bncas.html
Java EE security services can be implemented for web applications in the following ways:
Metadata annotations (or simply, annotations) are used to specify information about security within a class file. When the application is deployed, this information can either be used by or overridden by the application deployment descriptor.
New in Java EE 6 and Servlet specification 3.0, the @RolesAllowed, @DenyAll, @PermitAll, and @TransportProtected annotations are supported for Servlet.
Another quote from: https://access.redhat.com/site/document ... urity.html
RESTEasy supports the @RolesAllowed, @PermitAll, and @DenyAll annotations on JAX-RS methods. However, it does not recognize these annotations by default. Follow these steps to configure the web.xml file and enable role-based security.
Do not activate role-based security if the application uses EJBs. The EJB container will provide the functionality, instead of RESTEasy.

If the root class is not an EJB, but a servlet-based service, the @RolesAllowed works according to this quote.

(However, I did not see any @RolesAllowed , @DenyAll, @PermitAll annotation documented in JSR-340).

fjwalraven
Posts: 429
Joined: Tue Jul 24, 2012 2:43 am
Contact:

Re: About Question enthuware.ocejws.v6.2.222 :

Post by fjwalraven » Sun Apr 27, 2014 2:10 am

If the root class is not an EJB, but a servlet-based service, the @RolesAllowed works according to this quote.
The @RolesAllowed on a Servlet is always related to an URL-pattern (coarse-grained authorization). The other annotations (used on an EJB) are related to method based protection (fine-grained authorization).

Note that RESTEasy supports the security annotations even on Servlet-based root resource classes however this is not required by the JAX-RS specs (in other words: on the exam they are not supported on a root resource class deployed as a Servlet)

Regards,
Frits

himaiMinh
Posts: 358
Joined: Fri Nov 29, 2013 8:26 pm
Contact:

Re: About Question enthuware.ocejws.v6.2.222 :

Post by himaiMinh » Sun Apr 27, 2014 4:29 pm

Thanks. I think I understand it now.
I tried this with NetBean:

Code: Select all

//It compiles.
@WebService
@DeclareRoles({"teacher", "student"})
public class MyResource {
    
    @RolesAllowed("teacher")
    public String udpateGrades(){
        return "teacher access update grades";
    }
    
    @RolesAllowed("student")
     public String getStudentProfile(){
        return "student gets his or her profile.";
      }
}

Code: Select all

//web.xml
//The URL /MyResourceService can be accessed by both teacher and student.
<web-app>
   <security-constraint>
       <web-resource-collection> 
           <web-resource-name>Role base application</web-resource-name>
           <url-pattern>/MyResourceService</url-pattern>
           <http-method>POST</http-method>
       </web-resource-collection>    
        <auth-constraint>
           <role-name>teacher</role-name>
           <role-name>student</role-name>
       </auth-constraint> 
    </security-constraint>
    <login-config>
         <auth-method>BASIC</auth-method>
    </login-config>  
     <security-role>
        <role-name>teacher</role-name>
      </security-role>  
       <security-role>
         <role-name>student</role-name>
      </security-role> 
</web-app>

Code: Select all

//glassfish-web.xml
<glassfish-web-app>
   <context-root>/RoleSecurityApp</context-root>  
   <security-role-mapping>
       <role-name>teacher</role-name>
       <principal-name>john</principal-name>
   </security-role-mapping>
    <security-role-mapping>
       <role-name>student</role-name>
       <principal-name>mary</principal-name>
   </security-role-mapping>
  </glassfish-web-app>

Code: Select all

public class ResourceApp {
    public static void main (String... args){
          MyResourceService service = new MyResourceService();
          MyResource port = service.getMyResourcePort();
          BindingProvider bp = (BindingProvider)port;
          bp.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "john");
           bp.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY,"secret");
          System.out.println(port.getStudentProfile());
    }
}
Even though "john" is a teacher, he can still access the getStudentProfile() even though it only allows students to access it.

himaiMinh
Posts: 358
Joined: Fri Nov 29, 2013 8:26 pm
Contact:

Re: About Question enthuware.ocejws.v6.2.222 :

Post by himaiMinh » Sun Apr 27, 2014 4:32 pm

Code: Select all

 //This is the EJB based web service endpoint
@WebService
@Stateless
@DeclareRoles({"teacher", "student"})
public class MyEJBResource {
    
    @RolesAllowed("teacher")
    public String udpateGrades(){
        return "teacher access update grades";
    }
    
    @RolesAllowed("student")
     public String getStudentProfile(){
        return "student gets his or her profile.";
        
    }
}

Code: Select all

<glassfish-ejb-jar>
  <security-role-mapping>
    <role-name>teacher</role-name>
    <principal-name>john</principal-name>
  </security-role-mapping>
  <security-role-mapping>
    <role-name>student</role-name>
    <principal-name>mary</principal-name>
  </security-role-mapping>
  <enterprise-beans>
    <ejb>
      <ejb-name>MyEJBResource</ejb-name>
      <webservice-endpoint>
        <port-component-name>MyEJBResource</port-component-name>
        <login-config>
          <auth-method>BASIC</auth-method>
        </login-config>
      </webservice-endpoint>
      
    </ejb>
  </enterprise-beans>
</glassfish-ejb-jar>
With a similar client, john cannot access to getStudentProfile() as it only allows student's role to access it.

The same concept will be applied to JAX-RS applications too.

fjwalraven
Posts: 429
Joined: Tue Jul 24, 2012 2:43 am
Contact:

Re: About Question enthuware.ocejws.v6.2.222 :

Post by fjwalraven » Thu May 01, 2014 10:55 pm

Yes, that is a good example of the difference between a Servlet Web Service and an EJB Web Service.

johnlong
Posts: 185
Joined: Mon Jun 20, 2016 5:06 pm
Contact:

Re: About Question enthuware.ocejws.v6.2.222 :

Post by johnlong » Mon Nov 14, 2016 1:20 am

@DenyAll overrules @RolesAllowed("student")

But

@PermitAll does not overrule @RolesAllowed("student") ?

fjwalraven
Posts: 429
Joined: Tue Jul 24, 2012 2:43 am
Contact:

Re: About Question enthuware.ocejws.v6.2.222 :

Post by fjwalraven » Mon Nov 14, 2016 2:38 am

The general rule is: "A Method-level annotation overrides the behavior of class level annotation"

Regards,
Frits

Post Reply

Who is online

Users browsing this forum: Google [Bot] and 4 guests