Because an EJB is typically invoked from the web-tier by a servlet, JSP page or JSF component, we will briefly mention Java EE web container security. The web-tier and EJB tier share the same security model. So the web-tier security model is based on the same concepts of principals, roles and realms.
Web-tier authorization is similar to EJB authorization but with a few differences. Both programmatic and declarative authorization is supported for the web-tier. For programmatic authorization, the EJB methods of getCallerPrincipal()
and isCallerInRole()
have their equivalents of getUserPrincipal()
and isUserInRole()
in the HttpServletRequest
interface. These methods would then be used in a servlet or JSP page. To use these methods we would need to add the @DeclareRoles
annotation or the <security-role>
deployment descriptor element as with EJBs. The @RunAs
annotation can also be used at servlet class level to specify that a servlet...