Book Image

EJB 3 Developer Guide

By : Michael Sikora
Book Image

EJB 3 Developer Guide

By: Michael Sikora

Overview of this book

Table of Contents (18 chapters)
EJB 3 Developer Guide
Credits
About the Author
About the Reviewers
Preface
Annotations and Their Corresponding Packages

EJB Authorization


Authorization, or access control, is the process of restricting operations to specific roles. In contrast with authentication, EJB authorization is completely application server independent. The EJB specification provides two kinds of authorization: declarative and programmatic. With declarative authorization all security checks are performed by the container. An EJB's security requirements are declared using annotations or deployment descriptors. With programmatic authorization security checks are hard-coded in the EJBs code using API calls. However, even with programmatic authorization the container is still responsible for authentication and for assigning roles to principals.

Declarative Authorization

As an example, consider the BankServiceBean stateless session bean with methods findCustomer(), addCustomer() and updateCustomer() :

package ejb30.session;
import javax.ejb.Stateless;
import javax.persistence.EntityManager;
import ejb30.entity.Customer;
import javax...