4 Replies Latest reply on Aug 11, 2012 12:11 AM by sfcoy

@RolesAllowed, @DenyAll usage in web tier?

pgarner Aug 10, 2012 11:55 AM

I'm looking at a table in the JEE 6 specification section EE.6.25 that seems to indicate that web containers must support the following annotations: @PermitAll, @DenyAll, @RolesAllowed, @DeclareRoles and @RunAs.

EE.6.25 Common Annotations for the Java™ Platform 1.1 Requirements

The Common Annotations specification defines Java language annotations that are

used by several other specifications, including this specification. The specifications

that use these annotations fully define the requirements for these annotations. The

applet container need not support any of these annotations. All other containers

must provide definitions for all of these annotations, and must support the semantics

of these annotations as described in the corresponding specifications and

summarized in the following table.

Table EE.6-5 Common Annotations Support by Container

Annotation	App Client	Web	EJB
Resource	Y	Y	Y
Resources	Y	Y	Y
PostConstruct	Y	Y	Y
PreDestroy	Y	Y	Y
Generated	N	N	N
RunAs	N	Y	Y
DeclareRoles	N	Y	Y
RolesAllowed	N	Y	Y
PermitAll	N	Y	Y
DenyAll	N	Y	Y

What kinds of objects can these @RolesAllowed and @DenyAll be used on in the web tier? Can these annotations be used with managed beans? If not, why not?

1. Re: @RolesAllowed, @DenyAll usage in web tier?

cfang Aug 10, 2012 12:13 PM (in response to pgarner)

You can check servlet spec 3.1 (security chapter) for how they are used in web tier. I would think you can apply these security annotations on servlet class and methods to guard a servlet, or select http methods thereof. I don't think they are applicable to other web components.

For EJB, they are a more natural fit since EJB invocations are all method-based.

They are not for managed beans, either jsf managed beans or Java EE Managed Beans.
1 of 1 people found this helpful
Actions
2. Re: @RolesAllowed, @DenyAll usage in web tier?

sfcoy Aug 10, 2012 9:55 PM (in response to cfang)

@RolesAllowed, @DenyAll, etc can only be used on EJBs that are deployed in your web application (in the so called "web tier").

Servlets make use the ServletSecurity, HttpConstraint and HttpMethodConstraint annotations to replicate the decalrations that you would otherwise put in your web.xml file.

(This looks like it was a late change to the Servlet 3.0 spec btw)
1 of 1 people found this helpful
Actions
3. Re: @RolesAllowed, @DenyAll usage in web tier?

pgarner Aug 10, 2012 10:14 PM (in response to sfcoy)

I am wondering why @RolesAllowed, @DenyAll etc. are not supported on managed beans. Is it an architectural thing? Bad design practice? I did come across Delta Spike, http://incubator.apache.org/projects/deltaspike.html, whose aim is to provide extensions to CDI that would include security. Still in its infancy but interesting.
Actions
4. Re: @RolesAllowed, @DenyAll usage in web tier?

sfcoy Aug 11, 2012 12:11 AM (in response to pgarner)

I guess because you can use EJBs as managed beans if you need this functionality. Have a look at EJB 3.1 OR CDI MANAGED BEAN AS JSF BACKING BEAN and the references as well.
Actions

Go to original post