Google Git
Sign in
apache / tomee-site-pub / 476cf231b77b83a25b4407df84b6a5fd7c0d673a / . / security-annotations.html
blob: 3be6b8516526359d39434f467b13748d601d3b84 [file] [log] [blame]
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Security Annotations</title>
<meta name="description" content="Apache TomEE">
<meta name="author" content="Apache TomEE">
<meta name="google-translate-customization" content="f36a520c08f4c9-0a04e86a9c075ce9-g265f3196f697cf8f-10">
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Expires" content="0">
<meta http-equiv="Cache-Control" content="no-store, no-cache, must-revalidate, max-age=0">
<!-- Le HTML5 shim, for IE6-8 support of HTML elements -->
<!--[if lt IE 9]>
<script src="http://html5shim.googlecode.com/svn/trunk/html5.js"></script>
<![endif]-->
<!-- Le styles -->
<link href="./resources/css/bootstrap.css" rel="stylesheet">
<link href="./resources/css/prettify.css" rel="stylesheet">
<!--link href="./resources/css/bootstrap-mods.css" rel="stylesheet"-->
<link href="./resources/css/main.css" rel="stylesheet">
<link href="./resources/font-awesome-4.6.3/css/font-awesome.min.css" rel="stylesheet">
<script type="text/javascript">
var t = encodeURIComponent(document.title.replace(/^\s+|\s+$/g,""));
var u = encodeURIComponent(""+document.URL);
function fbshare () {
window.open(
"http://www.facebook.com/sharer/sharer.php?u="+u,
'Share on Facebook',
'width=640,height=426');
};
function gpshare () {
window.open(
"https://plus.google.com/share?url="+u,
'Share on Google+',
'width=584,height=385');
};
function twshare () {
window.open(
"https://twitter.com/intent/tweet?url="+u+"&text="+t,
'Share on Twitter',
'width=800,height=526');
};
function pinshare () {
window.open("//www.pinterest.com/pin/create/button/?url="+u+"&media=http%3A%2F%2Ftomee.apache.org%2Fresources%2Fimages%2Ffeather-logo.png&description="+t,
'Share on Pinterest',
'width=800,height=526');
};
</script>
<!-- Le fav and touch icons -->
<link rel="shortcut icon" href="./favicon.ico">
<link rel="apple-touch-icon" href="./resources/images/apple-touch-icon.png">
<link rel="apple-touch-icon" sizes="72x72" href="./resources/images/apple-touch-icon-72x72.png">
<link rel="apple-touch-icon" sizes="114x114" href="./resources/images/apple-touch-icon-114x114.png">
<script src="./resources/js/prettify.js" type="text/javascript"></script>
<script src="./resources/js/jquery-latest.js"></script>
<script src="http://platform.twitter.com/widgets.js" type="text/javascript"></script>
<script src="./resources/js/common.js"></script>
<script src="./resources/js/prettyprint.js"></script>
<!--script src="//assets.pinterest.com/js/pinit.js" type="text/javascript" async></script//-->
<script type="text/javascript">
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-2717626-1']);
_gaq.push(['_setDomainName', 'apache.org']);
_gaq.push(['_trackPageview']);
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
</script>
</head>
<body>
<div class="topbar" data-dropdown="dropdown">
<div class="fill">
<div class="container">
<a class="brand" href="./index.html">Apache TomEE</a>
<ul class="nav">
<li class="dropdown">
<a class="dropdown-toggle" data-toggle="dropdown" href="#">
Apache
<b class="caret"></b>
</a>
<ul class="dropdown-menu">
<!-- <li><a href="./misc/whoweare.html">Who we are?</a></li> -->
<!-- <li><a href="./misc/heritage.html">Heritage</a></li> -->
<li><a href="http://www.apache.org">Apache Home</a></li>
<!-- <li><a href="./misc/resources.html">Resources</a></li> -->
<li><a href="./misc/contact.html">Contact</a></li>
<li><a href="./misc/legal.html">Legal</a></li>
<li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
<li><a href="http://www.apache.org/foundation/thanks.html">Thanks</a></li>
<li class="divider"/>
<li><a href="http://www.apache.org/security">Security</a></li>
</ul>
</li>
<li><a href="./index.html">Home</a></li>
<li><a href="./downloads.html">Downloads</a></li>
<li><a href="./documentation.html">Documentation</a></li>
<li><a href="./examples-trunk/index.html">Examples</a></li>
<li><a href="./support.html">Support</a></li>
<li><a href="./contribute.html">Contribute</a></li>
<li><a href="./security/index.html">Security</a></li>
</ul>
<!-- Google CSE Search Box Begins -->
<FORM class="pull-right" id="searchbox_010475492895890475512:_t4iqjrgx90" action="http://www.google.com/cse">
<INPUT type="hidden" name="cx" value="010475492895890475512:_t4iqjrgx90">
<INPUT type="hidden" name="cof" value="FORID:0">
<INPUT size="18" width="130" style="width:130px" name="q" type="text" placeholder="Search">
</FORM>
<!--<SCRIPT type="text/javascript" src="http://www.google.com/coop/cse/brand?form=searchbox_010475492895890475512:_t4iqjrgx90"></SCRIPT>-->
<!-- Google CSE Search Box Ends -->
</div>
</div>
</div>
<div class="container">
<div class="page-header">
<small><a href="./index.html">Home</a></small><br>
<h1>Security Annotations
<div style="float: right; position: relative; bottom: -10px; ">
<a onclick="javascript:gpshare()" class="gp-share sprite" title="Share on Google+">share [gp]</a>
<a onclick="javascript:fbshare()" class="fb-share sprite" title="Share on Facebook">share [fb]</a>
<a onclick="javascript:twshare()" class="tw-share sprite" title="Share on Twitter">share [tw]</a>
<a onclick="javascript:pinshare()" class="pin-share sprite" title="Share on Pinterest">share [pin]</a>
<a data-toggle="modal" href="#edit" class="edit-page" title="Contribute to this Page">contribute</a>
</div>
</h1>
</div>
<p>This page shows the correct usage of the security related annotations:</p>
<ul>
<li>javax.annotation.security.RolesAllowed</li>
<li>javax.annotation.security.PermitAll</li>
<li>javax.annotation.security.DenyAll</li>
<li>javax.annotation.security.RunAs</li>
<li>javax.annotation.security.DeclareRoles</li>
</ul>
<p><a name="SecurityAnnotations-Basicidea"></a></p>
<h2>Basic idea</h2>
<ul>
<li>By default all methods of a business interface are accessible, logged in
or not</li>
<li>The annotations go on the bean class, not the business interface</li>
<li>Security annotations can be applied to entire class and/or individual
methods</li>
<li>The names of any security roles used must be declared via @DeclareRoles</li>
</ul>
<p><a name="SecurityAnnotations-Norestrictions"></a></p>
<h2>No restrictions</h2>
<p>Allow anyone logged in or not to invoke 'svnCheckout'.</p>
<p>These three examples are all equivalent.</p>
<pre><code>@Stateless
public class OpenSourceProjectBean implements Project {
public String svnCheckout(String s) {
return s;
}
}
@Stateless
@PermitAll
public class OpenSourceProjectBean implements Project {
public String svnCheckout(String s) {
return s;
}
}
@Stateless
public class OpenSourceProjectBean implements Project {
@PermitAll
public String svnCheckout(String s) {
return s;
}
}
</code></pre>
<ul>
<li>Allow anyone logged in or not to invoke 'svnCheckout'.</li>
</ul>
<p><a name="SecurityAnnotations-RestrictingaMethod"></a></p>
<h2>Restricting a Method</h2>
<p>Restrict the 'svnCommit' method to only individuals logged in and part of
the "committer" role. Note that more than one role can be listed.</p>
<pre><code>@Stateless
@DeclareRoles({"committer"})
public class OpenSourceProjectBean implements Project {
@RolesAllowed({"committer"})
public String svnCommit(String s) {
return s;
}
public String svnCheckout(String s) {
return s;
}
}
</code></pre>
<ul>
<li>Allow only logged in users in the "committer" role to invoke
'svnCommit'.</li>
<li>Allow anyone logged in or not to invoke 'svnCheckout'.</li>
</ul>
<p><a name="SecurityAnnotations-DeclareRoles"></a></p>
<h2>DeclareRoles</h2>
<p>You need to update the @DeclareRoles when referencing roles via
isCallerInRole(roleName).</p>
<pre><code>@Stateless
@DeclareRoles({"committer", "contributor"})
public class OpenSourceProjectBean implements Project {
@Resource SessionContext ctx;
@RolesAllowed({"committer"})
public String svnCommit(String s) {
ctx.isCallerInRole("committer"); // Referencing a Role
return s;
}
@RolesAllowed({"contributor"})
public String submitPatch(String s) {
return s;
}
}
</code></pre>
<p><a name="SecurityAnnotations-Restrictingallmethodsinaclass"></a></p>
<h2>Restricting all methods in a class</h2>
<p>Placing the annotation at the class level changes the default of PermitAll</p>
<pre><code>@Stateless
@DeclareRoles({"committer"})
@RolesAllowed({"committer"})
public class OpenSourceProjectBean implements Project {
public String svnCommit(String s) {
return s;
}
public String svnCheckout(String s) {
return s;
}
public String submitPatch(String s) {
return s;
}
}
</code></pre>
<ul>
<li>Allow only logged in users in the "committer" role to invoke 'svnCommit',
'svnCheckout' or 'submitPatch'.</li>
</ul>
<p><a name="SecurityAnnotations-Mixingclassandmethodlevelrestrictions"></a></p>
<h2>Mixing class and method level restrictions</h2>
<p>Security annotations can be used at the class level and method level at the
same time. These rules do not stack, so marking 'submitPatch' overrides
the default of "committers".</p>
<pre><code>@Stateless
@DeclareRoles({"committer", "contributor"})
@RolesAllowed({"committer"})
public class OpenSourceProjectBean implements Project {
public String svnCommit(String s) {
return s;
}
public String svnCheckout(String s) {
return s;
}
@RolesAllowed({"contributor"})
public String submitPatch(String s) {
return s;
}
}
</code></pre>
<ul>
<li>Allow only logged in users in the "committer" role to invoke 'svnCommit'
or 'svnCheckout'</li>
<li>Allow only logged in users in the "contributor" role to invoke
'submitPatch'. </li>
</ul>
<p><a name="SecurityAnnotations-PermitAll"></a></p>
<h2>PermitAll</h2>
<p>When annotating a bean class with @RolesAllowed, the @PermitAll annotation
becomes very useful on individual methods to open them back up again.</p>
<pre><code>@Stateless
@DeclareRoles({"committer", "contributor"})
@RolesAllowed({"committer"})
public class OpenSourceProjectBean implements Project {
public String svnCommit(String s) {
return s;
}
@PermitAll
public String svnCheckout(String s) {
return s;
}
@RolesAllowed({"contributor"})
public String submitPatch(String s) {
return s;
}
}
</code></pre>
<ul>
<li>Allow only logged in users in the "committer" role to invoke
'svnCommit'.</li>
<li>Allow only logged in users in the "contributor" role to invoke
'submitPatch'.</li>
<li>Allow anyone logged in or not to invoke 'svnCheckout'.</li>
</ul>
<p><a name="SecurityAnnotations-DenyAll"></a></p>
<h2>DenyAll</h2>
<p>The @DenyAll annotation can be used to restrict business interface access
from anyone, logged in or not. The method is still invokable from within
the bean class itself.</p>
<pre><code>@Stateless
@DeclareRoles({"committer", "contributor"})
@RolesAllowed({"committer"})
public class OpenSourceProjectBean implements Project {
public String svnCommit(String s) {
return s;
}
@PermitAll
public String svnCheckout(String s) {
return s;
}
@RolesAllowed({"contributor"})
public String submitPatch(String s) {
return s;
}
@DenyAll
public String deleteProject(String s) {
return s;
}
}
</code></pre>
<ul>
<li>Allow only logged in users in the "committer" role to invoke
'svnCommit'.</li>
<li>Allow only logged in users in the "contributor" role to invoke
'submitPatch'.</li>
<li>Allow anyone logged in or not to invoke 'svnCheckout'.</li>
<li>Allow <em>no one</em> logged in or not to invoke 'deleteProject'.</li>
</ul>
<p><a name="SecurityAnnotations-IllegalUsage"></a></p>
<h1>Illegal Usage</h1>
<p>Generally, security restrictions cannot be made on AroundInvoke methods and
most callbacks.</p>
<p>The following usages of @RolesAllowed have no effect.</p>
<pre><code>@Stateful
@DecalredRoles({"committer"})
public class MyStatefulBean implements MyBusinessInterface {
@PostConstruct
@RolesAllowed({"committer"})
public void constructed(){
}
@PreDestroy
@RolesAllowed({"committer"})
public void destroy(){
}
@AroundInvoke
@RolesAllowed({"committer"})
public Object invoke(InvocationContext invocationContext) throws
</code></pre>
<p>Exception {
return invocationContext.proceed();
}</p>
<pre><code> @PostActivate
@RolesAllowed({"committer"})
public void activated(){
}
@PrePassivate
@RolesAllowed({"committer"})
public void passivate(){
}
}
</code></pre>
<div id="edit" class="modal hide fade in" style="display: none; ">
<div class="modal-header">
<a class="close" data-dismiss="modal">x</a>
<h3>Thank you for contributing to the documentation!</h3>
</div>
<div class="modal-body">
<h4>Any help with the documentation is greatly appreciated.</h4>
<p>All edits are reviewed before going live, so feel free to do much more than fix typos or links. If you see a page that could benefit from an entire rewrite, we'd be thrilled to review it. Don't be surprised if we like it so much we ask you for help with other pages :)</p>
<small>NOTICE: unless indicated otherwise on the pages in question, all editable content available from apache.org is presumed to be licensed under the Apache License (AL) version 2.0 and hence all submissions to apache.org treated as formal Contributions under the license terms.</small>
<!--[if gt IE 6]>
<h4>Internet Explorer Users</h4>
<p>If you are not an Apache committer, click the Yes link and enter a <i>anonymous</i> for the username and leave the password empty</p>
<![endif]-->
</div>
<div class="modal-footer">
Do you have an Apache ID?
<a href="javascript:void(location.href='https://cms.apache.org/redirect?uri='+escape(location.href))" class="btn">Yes</a>
<a href="javascript:void(location.href='https://anonymous:@cms.apache.org/redirect?uri='+escape(location.href))" class="btn">No</a>
</div>
</div>
<script src="./resources/js/bootstrap-modal.js"></script>
<footer>
<p>Copyright &copy; 1999-2016 The Apache Software Foundation, Licensed under the Apache License, Version 2.0.
Apache TomEE, TomEE, Apache, the Apache feather logo, and the Apache TomEE project logo are trademarks of The Apache Software Foundation.
All other marks mentioned may be trademarks or registered trademarks of their respective owners.</p>
</footer>
</div> <!-- /container -->
<!-- Javascript
================================================== -->
<!-- Placed at the end of the document so the pages load faster -->
<script src="./resources/js/bootstrap-dropdown.js"></script>
</body>
</html>