When using the default access
control type, EAServer enforces port-based access control based
on the EAServer roles that the client user belongs to and the port
number that the client has connected with.
To apply role-based constraints, the default configuration runs <permitAccess> commands to configure component and method role constraints based on the method permissions defined in the deployment descriptor. The default configuration also creates these roles for each role name defined in the EJB deployment descriptor:
role,
where role is the role name used in the deployment
descriptor.
ejb-role-prefix.role,
where ejb-role-prefix is the value of the ejb.rolePrefix Ant property.
For evaluating a method role constraints, a user is considered a member of a role if they are a member of either the role with a matching name, or the role ejb-role-prefix.role where ejb-role-prefix is the value of the ejb.rolePrefix Ant property for the EJB module configuration. In other words, to allow access to a user, you can add them to either role.
Port-based access cannot be specified in the EJB deployment descriptor. By default, EAServer allows access through any port. In your user configuration, you can set the ejb.allowedPorts Ant property to restrict access to clients that connect through the specified port numbers. Changing the Ant property affects access to all methods unless you override the default security configuration commands.
In your user-configuration, you can override the default <accessControl> and <permitAccess> commands to fine tune the security settings. For example, you can enable auditing of permitted or denied access, or disable access to remote interface methods to allow only local-interface invocations. See the reference for the <permitAccess> and <denyAccess> commands for more information.
For example, to enable auditing:
<target name="configure-user"> <setProperties package="ejb.components.example"> <accessControl type="default" auditDeny="true" auditPermit="true" /> </setProperties> </target>
To enable auditing, auditing must also be enabled for the security domain (the security domain auditAccessDenied and auditAccessPermitted properties must both be true).
