Given a code listing, determine whether it is a legal and appropriate way to programmatically access a caller's security context.

This page discusses - Given a code listing, determine whether it is a legal and appropriate way to programmatically access a caller's security context.

Given a code listing, determine whether it is a legal and appropriate way to programmatically access a caller's security context.

Given a code listing, determine whether it is a legal and appropriate way to programmatically access a caller's security context.
Prev Chapter 14. Security Management Next

   

Given a code listing, determine whether it is a legal and appropriate way to programmatically access a caller's security context.

The javax.ejb.EJBContext interface provides TWO methods that allow the Bean Provider to access security information about the enterprise bean's caller: 

package javax.ejb;

public interface EJBContext {

	// The following two methods allow the EJB class
	// to access security information:

	// Returns the principal that represents the CALLER of the
	// enterprise bean, not the principal that corresponds to the 
	// run-as security identity for the bean, if any.
	java.security.Principal getCallerPrincipal();

	// Tests the principal that represents the CALLER of the
	// enterprise bean, not the principal that corresponds
	// to the run-as security identity for the bean, if any.
	boolean isCallerInRole(String roleName);
	...	
}

The Bean Provider can invoke the getCallerPrincipal and isCallerInRole methods only in the enterprise bean's business methods for which the Container has a client SECURITY CONTEXT.

The purpose of the getCallerPrincipal() method is to allow the enterprise bean methods to obtain the current caller principal's name. The methods might, for example, use the name as a key to information in a database.

An enterprise bean can invoke the getCallerPrincipal() method to obtain a java.security.Principal interface representing the current caller. The enterprise bean can then obtain the distinguished name of the caller principal using the getName() method of the java.security.Principal interface. 

public class EmployeeServiceBean implements SessionBean {
	EJBContext ejbContext;

	public void changePhoneNumber(...) {
		...
		// Obtain the default initial JNDI context.
		Context initCtx = new InitialContext();

		// Look up the remote home interface of the EmployeeRecord
		// enterprise bean in the environment.
		Object result = initCtx.lookup("java:comp/env/ejb/EmplRecord");

		// Convert the result to the proper type.
		EmployeeRecordHome emplRecordHome = (EmployeeRecordHome)
			javax.rmi.PortableRemoteObject.narrow(result,
			EmployeeRecordHome.class);

		// obtain the caller principal.
		callerPrincipal = ejbContext.getCallerPrincipal();

		// obtain the caller principal's name.
		callerKey = callerPrincipal.getName();

		// use callerKey as primary key to EmployeeRecord finder
		EmployeeRecord myEmployeeRecord =
			emplRecordHome.findByPrimaryKey(callerKey);

		// update phone number
		myEmployeeRecord.changePhoneNumber(...);
	...
	}
}

The enterprise bean code uses the isCallerInRole(String roleName) method to test whether the current caller has been assigned to a given security role. Security roles are defined by the Application Assembler in the deployment descriptor, and are assigned to principals or principal groups that exist in the operational environment by the Deployer. 


public class PayrollBean ... {
	EntityContext ejbContext;

	public void updateEmployeeInfo(EmplInfo info) {

		oldInfo = ... // read from database;

		// The salary field can be changed only by callers
		// who have the security role "payroll"
		if (info.salary != oldInfo.salary &&
		!ejbContext.isCallerInRole("payroll")) {
			throw new SecurityException(...);
		}
		...
	}
...
}

The Bean Provider is responsible for DECLARING in the security-role-ref elements of the deployment descriptor all the security role names used in the enterprise bean code. The ROLE NAME name must be the security role name that is used as a parameter to the isCallerInRole(String roleName) method. 


<entity>
	<ejb-name>AardvarkPayroll</ejb-name>
	<ejb-class>com.aardvark.payroll.PayrollBean</ejb-class>
	...
	<security-role-ref>
		<description>
			This security role should be assigned to the
			employees of the payroll department who are
			allowed to update employees' salaries.
		</description>
		<role-name>payroll</role-name>
	</security-role-ref>
	...
</entity>

Full description of security-role-ref element is: 


<!--
The security-role-ref element contains the declaration of a security
role reference in the enterprise bean's code. The declaration consists
of an optional description, the security role name used in the
code, and an optional link to a defined security role.
The value of the role-name element must be the String used as the
parameter to the EJBContext.isCallerInRole(String roleName) method.
The value of the role-link element must be the name of one of the
security roles defined in the security-role elements.
Used in: entity and session
-->

<!ELEMENT security-role-ref (description?, role-name, role-link?)>

Visit http://java.boot.by  for the updates.

   

Prev Up Next
From a list of responsibilities, identify which belong to the application assembler, bean provider, deployer, container provider, or system administrator.  Home Given a security-related deployment descriptor tag, identify correct and incorrect statements and code related to that tag.

Tutorials

  1. Appendix A. First Appendix
  2. Second Section
  3. Third Section
  4. Part II. Appendixes
  5. From a list, identify the responsibility of the bean provider and the responsibility of the container provider for a message-driven bean.
  6. Chapter 6. Component Contract for Container-Managed Persistence (CMP)
  7. Identify correct and incorrect statements or examples about persistent relationships, remove protocols, and about the abstract schema type of a CMP entity bean.
  8. Identify the interfaces and methods a CMP entity bean must and must not implement.
  9. Match the name with a description of purpose or functionality, for each of the following deployment descriptor elements: ejb-name, abstract-schema-name, ejb-relation, ejb-relat
  10. Identify correctly-implemented deployment descriptor elements for a CMP bean (including container-managed relationships).
  11. From a list, identify the purpose, behavior, and responsibilities of the bean provider for a CMP entity bean, including but not limited to: setEntityContext, unsetEntityContext, ejbC
  12. Chapter 7. CMP Entity Bean Life Cycle
  13. Identify correct and incorrect statements or examples about the rules and semantics for relationship assignment and relationship updating in a CMP bean.
  14. From a list, identify the responsibility of the container for a CMP entity bean, including but not limited to: setEntityContext, unsetEntityContext, ejbCreate, ejbPostCreate, ejbActi
  15. Given a code listing, determine whether it is a legal and appropriate way to programmatically access a caller's security context.
  16. Chapter 10. Message-Driven Bean Component Contract
  17. Identify correct and incorrect statements about the purpose and use of the deployment descriptor elements for environment entries, EJB references, and resource manager connection factory r
  18. Identify the use and the behavior of the ejbPassivate method in a session bean, including the responsibilities of both the container and the bean provider.
  19. Chapter 12. Exceptions
  20. Identify correct and incorrect statements or examples about the client view of an entity bean's local component interface (EJBLocalObject).
  21. Identify EJB 2.0 container requirements.
  22. Chapter 1. EJB Overview
  23. Identify correct and incorrect statements or examples about EJB programming restrictions.
  24. Chapter 9. EJB-QL
  25. Identify correct and incorrect statements or examples about the purpose and use of EJB QL.
  26. Identify correct and incorrect conditional expressions, BETWEEN expressions, IN expressions, LIKE expressions, and comparison expressions.
  27. Identify correct and incorrect statements or examples about the client view of a entity bean's remote component interface (EJBObject).
  28. Given a list, identify which are requirements for an EJB-jar file.
  29. Match EJB roles with the corresponding description of the role's responsibilities, where the description may include deployment descriptor information.
  30. Chapter 2. Client View of a Session Bean
  31. Chapter 13. Enterprise Bean Environment
  32. Chapter 8. Entity Beans
  33. Identify the use, syntax, and behavior of, the following entity bean home method types, for Container-Managed Persistence (CMP); finder methods, create methods, remove methods, and home me
  34. Identify correct and incorrect statements or examples about an entity bean's primary key and object identity.
  35. Identify correct and incorrect statements or examples about the client's view of exceptions received from an enterprise bean invocation.
  36. Identify correct and incorrect statements or examples about application exceptions and system exceptions in entity beans, session beans, and message-driven beans.
  37. Given a particular method condition, identify the following: whether an exception will be thrown, the type of exception thrown, the container's action, and the client's view.
  38. Given a list of responsibilities related to exceptions, identify those which are the bean provider's, and those which are the responsibility of the container provider. Be prepared to recog
  39. SCBCD Study Guide
  40. Identify the use and behavior of the MessageDrivenContext interface methods.