Google Git
Sign in
apache / tomee-site-pub / 43cf80e624a0cecf0f38bef5ef2614bfb2410f57 / . / master / docs / security-annotations.html
blob: 4dcd4958bf41434132f5902a77c23d35cc2d5c72 [file] [log] [blame]
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Apache TomEE</title>
<meta name="description"
content="Apache TomEE is a lightweight, yet powerful, JavaEE Application server with feature rich tooling." />
<meta name="keywords" content="tomee,asf,apache,javaee,jee,shade,embedded,test,junit,applicationcomposer,maven,arquillian" />
<meta name="author" content="Luka Cvetinovic for Codrops" />
<link rel="icon" href="../../favicon.ico">
<link rel="icon" type="image/png" href="../../favicon.png">
<meta name="msapplication-TileColor" content="#80287a">
<meta name="theme-color" content="#80287a">
<link rel="stylesheet" type="text/css" href="../../css/normalize.css">
<link rel="stylesheet" type="text/css" href="../../css/bootstrap.css">
<link rel="stylesheet" type="text/css" href="../../css/owl.css">
<link rel="stylesheet" type="text/css" href="../../css/animate.css">
<link rel="stylesheet" type="text/css" href="../../fonts/font-awesome-4.1.0/css/font-awesome.min.css">
<link rel="stylesheet" type="text/css" href="../../fonts/eleganticons/et-icons.css">
<link rel="stylesheet" type="text/css" href="../../css/jqtree.css">
<link rel="stylesheet" type="text/css" href="../../css/idea.css">
<link rel="stylesheet" type="text/css" href="../../css/cardio.css">
<script type="text/javascript">
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-2717626-1']);
_gaq.push(['_setDomainName', 'apache.org']);
_gaq.push(['_trackPageview']);
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
</script>
</head>
<body>
<div class="preloader">
<img src="../../img/loader.gif" alt="Preloader image">
</div>
<nav class="navbar">
<div class="container">
<div class="row"> <div class="col-md-12">
<!-- Brand and toggle get grouped for better mobile display -->
<div class="navbar-header">
<button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#bs-example-navbar-collapse-1">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="/">
<span>
<img src="../../img/logo-active.png">
</span>
Apache TomEE
</a>
</div>
<!-- Collect the nav links, forms, and other content for toggling -->
<div class="collapse navbar-collapse" id="bs-example-navbar-collapse-1">
<ul class="nav navbar-nav navbar-right main-nav">
<li><a href="../../docs.html">Documentation</a></li>
<li><a href="../../community/index.html">Community</a></li>
<li><a href="../../security/security.html">Security</a></li>
<li><a href="../../download-ng.html">Downloads</a></li>
</ul>
</div>
<!-- /.navbar-collapse -->
</div></div>
</div>
<!-- /.container-fluid -->
</nav>
<div id="main-block" class="container main-block">
<div class="row title">
<div class="col-md-12">
<div class='page-header'>
<h1>Security Annotations</h1>
</div>
</div>
</div>
<div class="row">
<div class="col-md-12">
<div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>This page shows the correct usage of the security
related annotations:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>javax.annotation.security.RolesAllowed</p>
</li>
<li>
<p>javax.annotation.security.PermitAll</p>
</li>
<li>
<p>javax.annotation.security.DenyAll</p>
</li>
<li>
<p>javax.annotation.security.RunAs</p>
</li>
<li>
<p>javax.annotation.security.DeclareRoles</p>
</li>
</ul>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_basic_idea">Basic idea</h2>
<div class="sectionbody">
<div class="ulist">
<ul>
<li>
<p>By default all methods of a business interface are accessible, logged
in or not</p>
</li>
<li>
<p>The annotations go on the bean class, not the business interface</p>
</li>
<li>
<p>Security annotations can be applied to entire class and/or individual
methods</p>
</li>
<li>
<p>The names of any security roles used must be declared via
@DeclareRoles</p>
</li>
</ul>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_no_restrictions">No restrictions</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Allow anyone logged in or not to invoke 'svnCheckout'.</p>
</div>
<div class="paragraph">
<p>These three examples are all equivalent.</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-java" data-lang="java">@Stateless
public class OpenSourceProjectBean implements Project {
public String svnCheckout(String s) {
return s;
}
}
@Stateless
@PermitAll
public class OpenSourceProjectBean implements Project {
public String svnCheckout(String s) {
return s;
}
}
@Stateless
public class OpenSourceProjectBean implements Project {
@PermitAll
public String svnCheckout(String s) {
return s;
}
}</code></pre>
</div>
</div>
<div class="ulist">
<ul>
<li>
<p>Allow anyone logged in or not to invoke 'svnCheckout'.</p>
</li>
</ul>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_restricting_a_method">Restricting a Method</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Restrict the 'svnCommit' method to only individuals logged in and part
of the "committer" role. Note that more than one role can be listed.</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-java" data-lang="java">@Stateless
@DeclareRoles({"committer"})
public class OpenSourceProjectBean implements Project {
@RolesAllowed({"committer"})
public String svnCommit(String s) {
return s;
}
public String svnCheckout(String s) {
return s;
}
}</code></pre>
</div>
</div>
<div class="ulist">
<ul>
<li>
<p>Allow only logged in users in the "committer" role to invoke
'svnCommit'.</p>
</li>
<li>
<p>Allow anyone logged in or not to invoke 'svnCheckout'.</p>
</li>
</ul>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_declareroles">DeclareRoles</h2>
<div class="sectionbody">
<div class="paragraph">
<p>You need to update the <code>@DeclareRoles</code> when referencing roles via
isCallerInRole(roleName).</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-java" data-lang="java">@Stateless
@DeclareRoles({"committer", "contributor"})
public class OpenSourceProjectBean implements Project {
@Resource SessionContext ctx;
@RolesAllowed({"committer"})
public String svnCommit(String s) {
ctx.isCallerInRole("committer"); // Referencing a Role
return s;
}
@RolesAllowed({"contributor"})
public String submitPatch(String s) {
return s;
}
}</code></pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_restricting_all_methods_in_a_class">Restricting all methods in a class</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Placing the annotation at the class level changes the default of
PermitAll</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-java" data-lang="java">@Stateless
@DeclareRoles({"committer"})
@RolesAllowed({"committer"})
public class OpenSourceProjectBean implements Project {
public String svnCommit(String s) {
return s;
}
public String svnCheckout(String s) {
return s;
}
public String submitPatch(String s) {
return s;
}
}</code></pre>
</div>
</div>
<div class="ulist">
<ul>
<li>
<p>Allow only logged in users in the "committer" role to invoke
'svnCommit', 'svnCheckout' or 'submitPatch'.</p>
</li>
</ul>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_mixing_class_and_method_level_restrictions">Mixing class and method level restrictions</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Security annotations can be used at the class level and method level at
the same time. These rules do not stack, so marking 'submitPatch'
overrides the default of "committers".</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-java" data-lang="java">@Stateless
@DeclareRoles({"committer", "contributor"})
@RolesAllowed({"committer"})
public class OpenSourceProjectBean implements Project {
public String svnCommit(String s) {
return s;
}
public String svnCheckout(String s) {
return s;
}
@RolesAllowed({"contributor"})
public String submitPatch(String s) {
return s;
}
}</code></pre>
</div>
</div>
<div class="ulist">
<ul>
<li>
<p>Allow only logged in users in the "committer" role to invoke
'svnCommit' or 'svnCheckout'</p>
</li>
<li>
<p>Allow only logged in users in the "contributor" role to invoke
'submitPatch'.</p>
</li>
</ul>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_permitall">PermitAll</h2>
<div class="sectionbody">
<div class="paragraph">
<p>When annotating a bean class with <code>@RolesAllowed</code>, the <code>@PermitAll</code>
annotation becomes very useful on individual methods to open them back
up again.</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-java" data-lang="java">@Stateless
@DeclareRoles({"committer", "contributor"})
@RolesAllowed({"committer"})
public class OpenSourceProjectBean implements Project {
public String svnCommit(String s) {
return s;
}
@PermitAll
public String svnCheckout(String s) {
return s;
}
@RolesAllowed({"contributor"})
public String submitPatch(String s) {
return s;
}
}</code></pre>
</div>
</div>
<div class="ulist">
<ul>
<li>
<p>Allow only logged in users in the "committer" role to invoke
'svnCommit'.</p>
</li>
<li>
<p>Allow only logged in users in the "contributor" role to invoke
'submitPatch'.</p>
</li>
<li>
<p>Allow anyone logged in or not to invoke 'svnCheckout'.</p>
</li>
</ul>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_denyall">DenyAll</h2>
<div class="sectionbody">
<div class="paragraph">
<p>The <code>@DenyAll</code> annotation can be used to restrict business interface
access from anyone, logged in or not. The method is still invokable from
within the bean class itself.</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-java" data-lang="java">@Stateless
@DeclareRoles({"committer", "contributor"})
@RolesAllowed({"committer"})
public class OpenSourceProjectBean implements Project {
public String svnCommit(String s) {
return s;
}
@PermitAll
public String svnCheckout(String s) {
return s;
}
@RolesAllowed({"contributor"})
public String submitPatch(String s) {
return s;
}
@DenyAll
public String deleteProject(String s) {
return s;
}
}</code></pre>
</div>
</div>
<div class="ulist">
<ul>
<li>
<p>Allow only logged in users in the "committer" role to invoke
'svnCommit'.</p>
</li>
<li>
<p>Allow only logged in users in the "contributor" role to invoke
'submitPatch'.</p>
</li>
<li>
<p>Allow anyone logged in or not to invoke 'svnCheckout'.</p>
</li>
<li>
<p>Allow <em>no one</em> logged in or not to invoke 'deleteProject'.</p>
</li>
</ul>
</div>
</div>
</div>
<h1 id="_illegal_usage" class="sect0">Illegal Usage</h1>
<div class="paragraph">
<p>Generally, security restrictions cannot be made on AroundInvoke methods
and most callbacks.</p>
</div>
<div class="paragraph">
<p>The following usages of <code>@RolesAllowed</code> have no effect.</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-java" data-lang="java">@Stateful
@DecalredRoles({"committer"})
public class MyStatefulBean implements MyBusinessInterface {
@PostConstruct
@RolesAllowed({"committer"})
public void constructed(){
}
@PreDestroy
@RolesAllowed({"committer"})
public void destroy(){
}
@AroundInvoke
@RolesAllowed({"committer"})
public Object invoke(InvocationContext invocationContext) throws</code></pre>
</div>
</div>
<div class="paragraph">
<p>Exception \{ return invocationContext.proceed(); }</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-java" data-lang="java"> @PostActivate
@RolesAllowed({"committer"})
public void activated(){
}
@PrePassivate
@RolesAllowed({"committer"})
public void passivate(){
}
}</code></pre>
</div>
</div>
</div>
</div>
</div>
<footer>
<div class="container">
<div class="row">
<div class="col-sm-6 text-center-mobile">
<h3 class="white">Be simple. Be certified. Be Tomcat.</h3>
<h5 class="light regular light-white">"A good application in a good server"</h5>
<ul class="social-footer">
<li><a href="https://www.facebook.com/ApacheTomEE/"><i class="fa fa-facebook"></i></a></li>
<li><a href="https://twitter.com/apachetomee"><i class="fa fa-twitter"></i></a></li>
<li><a href="https://plus.google.com/communities/105208241852045684449"><i class="fa fa-google-plus"></i></a></li>
</ul>
</div>
<div class="col-sm-6 text-center-mobile">
<div class="row opening-hours">
<div class="col-sm-3 text-center-mobile">
<h5><a href="../../latest/docs/" class="white">Documentation</a></h5>
<ul class="list-unstyled">
<li><a href="../../latest/docs/admin/configuration/index.html" class="regular light-white">How to configure</a></li>
<li><a href="../../latest/docs/admin/file-layout.html" class="regular light-white">Dir. Structure</a></li>
<li><a href="../../latest/docs/developer/testing/index.html" class="regular light-white">Testing</a></li>
<li><a href="../../latest/docs/admin/cluster/index.html" class="regular light-white">Clustering</a></li>
</ul>
</div>
<div class="col-sm-3 text-center-mobile">
<h5><a href="../../latest/examples/" class="white">Examples</a></h5>
<ul class="list-unstyled">
<li><a href="../../latest/examples/simple-cdi-interceptor.html" class="regular light-white">CDI Interceptor</a></li>
<li><a href="../../latest/examples/rest-cdi.html" class="regular light-white">REST with CDI</a></li>
<li><a href="../../latest/examples/ejb-examples.html" class="regular light-white">EJB</a></li>
<li><a href="../../latest/examples/jsf-managedBean-and-ejb.html" class="regular light-white">JSF</a></li>
</ul>
</div>
<div class="col-sm-3 text-center-mobile">
<h5><a href="../../community/index.html" class="white">Community</a></h5>
<ul class="list-unstyled">
<li><a href="../../community/contributors.html" class="regular light-white">Contributors</a></li>
<li><a href="../../community/social.html" class="regular light-white">Social</a></li>
<li><a href="../../community/sources.html" class="regular light-white">Sources</a></li>
</ul>
</div>
<div class="col-sm-3 text-center-mobile">
<h5><a href="../../security/index.html" class="white">Security</a></h5>
<ul class="list-unstyled">
<li><a href="http://apache.org/security" target="_blank" class="regular light-white">Apache Security</a></li>
<li><a href="http://apache.org/security/projects.html" target="_blank" class="regular light-white">Security Projects</a></li>
<li><a href="http://cve.mitre.org" target="_blank" class="regular light-white">CVE</a></li>
</ul>
</div>
</div>
</div>
</div>
<div class="row bottom-footer text-center-mobile">
<div class="col-sm-12 light-white">
<p>Copyright &copy; 1999-2016 The Apache Software Foundation, Licensed under the Apache License, Version 2.0. Apache TomEE, TomEE, Apache, the Apache feather logo, and the Apache TomEE project logo are trademarks of The Apache Software Foundation. All other marks mentioned may be trademarks or registered trademarks of their respective owners.</p>
</div>
</div>
</div>
</footer>
<!-- Holder for mobile navigation -->
<div class="mobile-nav">
<ul>
<li><a hef="../../latest/docs/admin/index.html">Administrators</a>
<li><a hef="../../latest/docs/developer/index.html">Developers</a>
<li><a hef="../../latest/docs/advanced/index.html">Advanced</a>
<li><a hef="../../community/index.html">Community</a>
</ul>
<a href="#" class="close-link"><i class="arrow_up"></i></a>
</div>
<!-- Scripts -->
<script src="../../js/jquery-1.11.1.min.js"></script>
<script src="../../js/owl.carousel.min.js"></script>
<script src="../../js/bootstrap.min.js"></script>
<script src="../../js/wow.min.js"></script>
<script src="../../js/typewriter.js"></script>
<script src="../../js/jquery.onepagenav.js"></script>
<script src="../../js/tree.jquery.js"></script>
<script src="../../js/highlight.pack.js"></script>
<script src="../../js/main.js"></script>
</body>
</html>