Page 1 of 1
About Question enthuware.ocejws.v6.2.222 :
Posted: Sat Apr 26, 2014 10:49 pm
by himaiMinh
From this J2EE 6 tutorial at :
http://www.ce.unipr.it/people/poggi/tea ... bncas.html
Java EE security services can be implemented for web applications in the following ways:
Metadata annotations (or simply, annotations) are used to specify information about security within a class file. When the application is deployed, this information can either be used by or overridden by the application deployment descriptor.
New in Java EE 6 and Servlet specification 3.0, the @RolesAllowed, @DenyAll, @PermitAll, and @TransportProtected annotations are supported for Servlet.
Another quote from:
https://access.redhat.com/site/document ... urity.html
RESTEasy supports the @RolesAllowed, @PermitAll, and @DenyAll annotations on JAX-RS methods. However, it does not recognize these annotations by default. Follow these steps to configure the web.xml file and enable role-based security.
Do not activate role-based security if the application uses EJBs. The EJB container will provide the functionality, instead of RESTEasy.
If the root class is not an EJB, but a servlet-based service, the @RolesAllowed works according to this quote.
(However, I did not see any @RolesAllowed , @DenyAll, @PermitAll annotation documented in JSR-340).
Re: About Question enthuware.ocejws.v6.2.222 :
Posted: Sun Apr 27, 2014 2:10 am
by fjwalraven
If the root class is not an EJB, but a servlet-based service, the @RolesAllowed works according to this quote.
The @RolesAllowed on a Servlet is always related to an URL-pattern (coarse-grained authorization). The other annotations (used on an EJB) are related to method based protection (fine-grained authorization).
Note that RESTEasy supports the security annotations even on Servlet-based root resource classes however this is not required by the JAX-RS specs (in other words: on the exam they are not supported on a root resource class deployed as a Servlet)
Regards,
Frits
Re: About Question enthuware.ocejws.v6.2.222 :
Posted: Sun Apr 27, 2014 4:29 pm
by himaiMinh
Thanks. I think I understand it now.
I tried this with NetBean:
Code: Select all
//It compiles.
@WebService
@DeclareRoles({"teacher", "student"})
public class MyResource {
@RolesAllowed("teacher")
public String udpateGrades(){
return "teacher access update grades";
}
@RolesAllowed("student")
public String getStudentProfile(){
return "student gets his or her profile.";
}
}
Code: Select all
//web.xml
//The URL /MyResourceService can be accessed by both teacher and student.
<web-app>
<security-constraint>
<web-resource-collection>
<web-resource-name>Role base application</web-resource-name>
<url-pattern>/MyResourceService</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>teacher</role-name>
<role-name>student</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>teacher</role-name>
</security-role>
<security-role>
<role-name>student</role-name>
</security-role>
</web-app>
Code: Select all
//glassfish-web.xml
<glassfish-web-app>
<context-root>/RoleSecurityApp</context-root>
<security-role-mapping>
<role-name>teacher</role-name>
<principal-name>john</principal-name>
</security-role-mapping>
<security-role-mapping>
<role-name>student</role-name>
<principal-name>mary</principal-name>
</security-role-mapping>
</glassfish-web-app>
Code: Select all
public class ResourceApp {
public static void main (String... args){
MyResourceService service = new MyResourceService();
MyResource port = service.getMyResourcePort();
BindingProvider bp = (BindingProvider)port;
bp.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "john");
bp.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY,"secret");
System.out.println(port.getStudentProfile());
}
}
Even though "john" is a teacher, he can still access the getStudentProfile() even though it only allows students to access it.
Re: About Question enthuware.ocejws.v6.2.222 :
Posted: Sun Apr 27, 2014 4:32 pm
by himaiMinh
Code: Select all
//This is the EJB based web service endpoint
@WebService
@Stateless
@DeclareRoles({"teacher", "student"})
public class MyEJBResource {
@RolesAllowed("teacher")
public String udpateGrades(){
return "teacher access update grades";
}
@RolesAllowed("student")
public String getStudentProfile(){
return "student gets his or her profile.";
}
}
Code: Select all
<glassfish-ejb-jar>
<security-role-mapping>
<role-name>teacher</role-name>
<principal-name>john</principal-name>
</security-role-mapping>
<security-role-mapping>
<role-name>student</role-name>
<principal-name>mary</principal-name>
</security-role-mapping>
<enterprise-beans>
<ejb>
<ejb-name>MyEJBResource</ejb-name>
<webservice-endpoint>
<port-component-name>MyEJBResource</port-component-name>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
</webservice-endpoint>
</ejb>
</enterprise-beans>
</glassfish-ejb-jar>
With a similar client, john cannot access to getStudentProfile() as it only allows student's role to access it.
The same concept will be applied to JAX-RS applications too.
Re: About Question enthuware.ocejws.v6.2.222 :
Posted: Thu May 01, 2014 10:55 pm
by fjwalraven
Yes, that is a good example of the difference between a Servlet Web Service and an EJB Web Service.
Re: About Question enthuware.ocejws.v6.2.222 :
Posted: Mon Nov 14, 2016 1:20 am
by johnlong
@DenyAll overrules @RolesAllowed("student")
But
@PermitAll does not overrule @RolesAllowed("student") ?
Re: About Question enthuware.ocejws.v6.2.222 :
Posted: Mon Nov 14, 2016 2:38 am
by fjwalraven
The general rule is: "A Method-level annotation overrides the behavior of class level annotation"
Regards,
Frits