Security and Deployment Descriptors
Jump to navigation
Jump to search
References
Declarative security
- rules and permissions
- defined in deployment descriptors
- EJB = ejb-jar.xml
- WAR = web.xml
- JAR = application-client.xml
web.xml
Can configure protocol and roles of pages that can be seen
<web-app>
<security-constraint>
<web-resource-collection>
<url-pattern> </url-pattern>
<http-method>GET or POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name></role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE (=http) or INTEGRAL (must not be tampered with = ssl) or CONFIDENTIAL (must not be intercepted = ssl)</transport-guarantee>
</user-data-constraint>
</security-constraint>
</web-app>
ejb.xml
- Can map roles to logical names for use within beans
- Can define roles the bean will run as
- Can define the roles required to access methods of beans
- can distinguish between methods overridden, interfaces - remote/local
- in assembly descriptor
- message driven only has security role to run as
<ejb-jar>
<enterprise-beans>
<entity|session>
<security-role-ref> < !-- only for use in security context methods within bean -- >
<role-name>Name to use in bean</role-name>
<role-link>actual role or logic role mapped by assembly descriptor</role-link>
</security-role-ref>
<security-identity>
* <use-caller-identity/> < !-- empty tag run as calling user -- >
* OR
* <run-as>
</security-identity>
...
<message-driven>
....
<security-identity>
* <use-caller-identity/> < !-- empty tag run as calling user -- >
* OR
* <run-as>
</security-identity>
<message-driven>
<assembly-descriptor>
<security-role-ref> < !-- see above -- > </security-role-ref>
<method-permission>
* <role-name></role-name>
* or
* <unchecked/>
<method>
<ejb-name></ejb-name>
<method-intf>optional - one of Home,Remote,LocalHome,Local,ServiceEndpoint</method-intf>
<method-name></method-name>
<method-params>optional - distinguish between overridden methods repeated with fully specified class</method-params>
</method>