I need clarification here, please. I'm currently learning EJB, and i've read about limitting the access right of methods to the users in certain "roles." I know how the metadata to limit the access rights works. But, what i dont know is how to put the users in the respective roles. Are the users' roles set in the database, and the ejb goes into the database and check to role(if so, how)? I mean, where or how to i progamatically impose that certain users belong to , for example, the customer role or the administrator role? If you know any books, you can also provide the title if you开发者_如何学Go want.
Thank you.
There are several ways to declare roles in an EJB application (database, property files, LDAP ...). Also since EJB 3.0, you can use annotations in your session beans :
@RolesAllowed("blabla")
@PermitAll
@DenyAll
@RunAs
It's called declarative authorization. As opposed to programmatic authorization (methods getCallerPrincipal() and isCallerInRole() from the javax.ejb.SessionContext object).
You can find many examples online.
User configuration is specific of the Application Server. Security in EJB is only about roles. I use Glassfish and it has many ways of configuring users: file (default), jdbc, ldap, etc. Each way is called a realm. All depends on the server you are using so check the documentation. In Glassfish is just a little tedious because of the mapping of server roles to application roles.
精彩评论