EJB and resource references  Transaction isolation level

Chapter 1: Enterprise JavaBeans Overview

Security access-control changes

The getCallerIdentity and isCallerInRole(java.security.Identity) methods in the EJBContext interface are deprecated in EJB 1.1. Instead of getCallerIdentity, call getCallerPrincipal. Instead of isCallerInRole(java.security.Identity), call isCallerInRole(java.lang.String).

You can configure role references for your component. Role references allow you to map names used in isCallerInRole(java.lang.String) calls to role names that exist on the server. Role references allow your component to be deployed on servers that do not have the same security configuration. After deploying, you can configure the component to assign server role names to the role reference names used in the component.

Declarative access control for EJB 1.1 and later version components uses method-level settings. You configure access restrictions for methods with <method-permission> elements in the deployment descriptor, listing the methods that the permission constraint applies to inside the <method-permission> element. When you deploy the EJB-JAR to EAServer, EAServer creates role configurations and security settings to apply the security constraints. For details, see the description of the ejb.accessControl Ant configuration property on page §.

StepsConfiguring role references

Role references in the EJB JAR deployment descriptor allow you to map logical role names used in the isCallerInRole Java method. While the EJB specification encourages declarative security constraints, you can programmatically check role membership with this method. The role reference allows you to logical role names when calling isCallerInRole, then map them to roles that exist on the deployment server.

When you deploy an EJB-JAR that contains role references, EAServer generates commands in the module configuration file to alias the role to another role. You can edit or reconfigure the role reference as follows:

  1. If necessary, define new EAServer roles to be used by callers of the component.

  2. Edit the EJB module configuration file as described in “Configuring EJB component properties”.

    For each role reference in the deployment descriptor, EAServer generates the following in the configuration target:

    <addRoles toRole="LinkedRole">
RoleUsedInCode
</addRoles>

    Where RoleUsedInCode is the logical role name used in the EJB code (specified by role-name in the deployment descriptor security-role-ref element) and LinkedRole is the role name specified by link-role in the deployment descriptor. This command makes RoleUsedInCode have the same included and excluded users as LinkedRole.




Copyright © 2006. Sybase Inc. All rights reserved. Transaction isolation level

View this document as PDF