Securing Enterprise JavaBeans EJBs 6-5
security-role role-nameeastrole-name
security-role method-permission
role-namemanagerrole-name role-nameeastrole-name
method ejb-nameaccountsPayableejb-name
method-namegetReceiptsmethod-name method
method-permission ...
assembly-descriptor ...
weblogic-ejb-jar.xml entries: security-role-assignment
role-namemanagerrole-name principal-namealprincipal-name
principal-namegeorgeprincipal-name principal-nameralphprincipal-name
security-role-assignment ...
6.3 EJB Security-Related Deployment Descriptors
The following topics describe the deployment descriptor elements that are used in the ejb-jar.xml and weblogic-ejb-jar.xml files to define security requirements in
EJBs:
■
Section 6.3.1, ejb-jar.xml Deployment Descriptors
■
Section 6.3.2, weblogic-ejb-jar.xml Deployment Descriptors
6.3.1 ejb-jar.xml Deployment Descriptors
The following ejb-jar.xml deployment descriptor elements are used to define security requirements in WebLogic Server:
■
Section 6.3.1.1, method
■
Section 6.3.1.2, method-permission
■
Section 6.3.1.3, role-name
■
Section 6.3.1.4, run-as
■
Section 6.3.1.5, security-identity
■
Section 6.3.1.6, security-role
■
Section 6.3.1.7, security-role-ref
■
Section 6.3.1.8, unchecked
■
Section 6.3.1.9, use-caller-identity
6.3.1.1 method
The method element is used to denote a method of an enterprise beans home or component interface, or, in the case of a message-driven bean, the beans onMessage
method, or a set of methods.
The following table describes the elements you can define within an method element.
6-6 Programming Security for Oracle WebLogic Server
6.3.1.1.1 Used Within The method element is used within the method-permission
element.
6.3.1.1.2 Example For an example of how to use the method element, see
Example 6–1 .
6.3.1.2 method-permission
The method-permission element specifies that one or more security roles are allowed to invoke one or more enterprise bean methods. The method-permission
element consists of an optional description, a list of security role names or an indicator to state that the method is unchecked for authorization, and a list of method elements.
The security roles used in the method-permission element must be defined in the security-role elements of the deployment descriptor, and the methods must be
methods defined in the enterprise beans component andor home interfaces.
The following table describes the elements you can define within a method-permission element.
Table 6–1 method Element
Element Required
Optional
Description
description Optional
A text description of the method. ejb-name
Required Specifies the name of one of the enterprise beans
declared in the ejb-jar.xml file. method-intf
Optional Allows you to distinguish between a method with
the same signature that is multiply defined across both the home and component interfaces of the
enterprise bean.
method-name Required
Specifies a name of an enterprise bean method or the asterisk character. The asterisk is used when the
element denotes all the methods of an enterprise beans component and home interfaces.
method-params Optional
Contains a list of the fully-qualified Java type names of the method parameters.
Table 6–2 method-permission Element
Element Required
Optional
Description
description Optional
A text description of this security constraint.
role-name or unchecked
Required The role-name element or the
unchecked element must be specified. The role-name element contains the
name of a security role. The name must conform to the lexical rules for an
NMTOKEN.
The unchecked element specifies that a method is not checked for authorization by
the container prior to invocation of the method.
method Required
Specifies a method of an enterprise beans home or component interface, or, in the
case of a message-driven bean, the beans onMessage method, or a set of methods.
Securing Enterprise JavaBeans EJBs 6-7
6.3.1.2.1 Used Within The method-permission element is used within the
assembly-descriptor element.
6.3.1.2.2 Example For an example of how to use the method-permission element,
see Example 6–1
.
6.3.1.3 role-name