-
1. Re: @RolesAllowed, @DenyAll usage in web tier?
cfang Aug 10, 2012 12:13 PM (in response to pgarner)1 of 1 people found this helpfulYou can check servlet spec 3.1 (security chapter) for how they are used in web tier. I would think you can apply these security annotations on servlet class and methods to guard a servlet, or select http methods thereof. I don't think they are applicable to other web components.
For EJB, they are a more natural fit since EJB invocations are all method-based.
They are not for managed beans, either jsf managed beans or Java EE Managed Beans.
-
2. Re: @RolesAllowed, @DenyAll usage in web tier?
sfcoy Aug 10, 2012 9:55 PM (in response to cfang)1 of 1 people found this helpful@RolesAllowed, @DenyAll, etc can only be used on EJBs that are deployed in your web application (in the so called "web tier").
Servlets make use the ServletSecurity, HttpConstraint and HttpMethodConstraint annotations to replicate the decalrations that you would otherwise put in your web.xml file.
(This looks like it was a late change to the Servlet 3.0 spec btw)
-
3. Re: @RolesAllowed, @DenyAll usage in web tier?
pgarner Aug 10, 2012 10:14 PM (in response to sfcoy)I am wondering why @RolesAllowed, @DenyAll etc. are not supported on managed beans. Is it an architectural thing? Bad design practice? I did come across Delta Spike, http://incubator.apache.org/projects/deltaspike.html, whose aim is to provide extensions to CDI that would include security. Still in its infancy but interesting.
-
4. Re: @RolesAllowed, @DenyAll usage in web tier?
sfcoy Aug 11, 2012 12:11 AM (in response to pgarner)I guess because you can use EJBs as managed beans if you need this functionality. Have a look at EJB 3.1 OR CDI MANAGED BEAN AS JSF BACKING BEAN and the references as well.