About Question enthuware.oce-ejbd.v6.2.612 :

[himaiMinh]

Should we have <role-link> to map the "user" in annotation to "customer" role in the deployment descriptor?

[admin]

No, there is no need to map anything here. Please see the explanation.

[himaiMinh]

For everyone's information.

Code: Select all

 ...
@Stateless
public class EnthuBean {
           
           public void doStuff(){
        	   System.out.println("Do stuff");
           }
           @RolesAllowed ("user")
           public void doStuff(String str){
        	   System.out.println("do stuff "+ str);
           }
           
}

Code: Select all

@WebServlet(name="EJBClientServlet", urlPatterns="/test.do")
@ServletSecurity(
		httpMethodConstraints = 
			{
				@HttpMethodConstraint(value="GET", rolesAllowed={"user", "customer"})
			})
public class EJBClientServlet extends HttpServlet{
  
   private EnthuBean enthuBean;
   
   @Override
   protected void doGet(HttpServletRequest inRequest, HttpServletResponse inResponse ) throws ServletException, IOException{
	   
	   enthuBean.doStuff("do my own stuff");
	   enthuBean.doStuff();
	  
   }
}

Code: Select all

<ejb-jar version="3.1"  >
    <enterprise-beans>
      <session>
            <ejb-name>EnthuBean</ejb-name>
     </session>
   </enterprise-beans>
    <assembly-descriptor>
         <security-role>
                 <role-name>customer</role-name>
         </security-role>
         <method-permission>
                 <role-name>customer</role-name> 
                <method> 
                   <ejb-name>EnthuBean</ejb-name>
                   <method-name>doStuff</method-name>
              </method> 
          </method-permission>   
   </assembly-descriptor>
</ejb-jar>

Code: Select all

 //This is sun-web.xml, deployer maps principals to roles
<sun-web-app error-url="">
  <context-root>/doStuff</context-root>
 <security-role-mapping>
          <role-name>customer</role-name>
          <principal-name>jim</principal-name>
  </security-role-mapping>
   <security-role-mapping>
          <role-name>user</role-name>
          <principal-name>nick</principal-name>
  </security-role-mapping>
 
    ...
</sun-web-app>

Result : The customer "jim" has access to both doStuff. The user "nick" does not have access to both doStuff method with an javax.ejb.EJBAccessException .