📄 ch09s02.html
字号:
</div>This style is used to refer to a specified method within a
set of methods with an overloaded name. The method must be defined in the
specified enterprise bean's remote or home interface. The optional method-intf
element can be used to differentiate methods with the same name and signature
that are defined in both the remote and home interfaces.</p></dd></dl></div><p>The following EJB 1.1 spec example illustrates how security roles
are assigned method permissions in the deploymentvdescriptor:
<div class="example"><p><a name="sx.security-role-assignment.example"></a><b>Example 9.2. Sample method-permission Element Usage</b></p><pre class="programlisting">
...
<method-permission>
<role-name>employee</role-name>
<method>
<ejb-name>EmployeeService</ejb-name>
<method-name>*</method-name>
</method>
</method-permission>
<method-permission>
<role-name>employee</role-name>
<method>
<ejb-name>AardvarkPayroll</ejb-name>
<method-name>findByPrimaryKey</method-name>
</method>
<method>
<ejb-name>AardvarkPayroll</ejb-name>
<method-name>getEmployeeInfo</method-name>
</method>
<method>
<ejb-name>AardvarkPayroll</ejb-name>
<method-name>updateEmployeeInfo</method-name>
</method>
</method-permission>
<method-permission>
<role-name>admin</role-name>
<method>
<ejb-name>EmployeeServiceAdmin</ejb-name>
<method-name>*</method-name>
</method>
</method-permission>
...</pre></div>
</p><p>The check of declarative method permissions is handled by the JBoss container SecurityInterceptor. When a method is invoked, the SecurityInterceptor obtains the set of roles declared in method-permission elements for the method and invokes RealmMapping.doesUserHaveRole(principal, methodRoles) to see if the prinicipal invoking the method has one of the roles in the methodRoles set. When the JaasSecurityManager is used as the RealmMapping implementation, the association of what roles a principal has occurs during authentication. One or more of the LoginModules associated with the security domain assigns the roles the principal belongs to the JAAS Subject instance that is created by the login process. The roles found in the Subject are then used by the JaasSecurityManager in its RealmMapping implementation.</p></div></div><div class="section"><a name="d0e6143"></a><div class="titlepage"><div><h3 class="title"><a name="d0e6143"></a>EJB Custom Security</h3></div></div><p>While a good concept, in general the declarative security model is often too simplistic to cover business application security requirements. Reasons for this include:</p><div class="itemizedlist"><ul><li><p><a name="d0e6149"></a>method permissions can be a function of the method arguments or
bean state.</p></li><li><p><a name="d0e6152"></a>method permissions can be a function of the caller principal
and some application state.</p></li><li><p><a name="d0e6155"></a>the caller principal roles may be assigned after deployment and
therefore are not available for use in the deployment descriptor.</p></li></ul></div><div class="section"><a name="d0e6158"></a><div class="titlepage"><div><h4 class="title"><a name="d0e6158"></a>EJB 1.1 Custom Security</h4></div></div><p>The EJB 1.1 spec defines a mechanism by which custom security can
be implemented by the bean provider. This requires introduction of security
logic into the EJB's business method implementation. For this reason,
<i>Enterprise JavaBeans Specification, v1.1, Section
15.2.5</i> states: “Note: In general, security management should
be enforced by the Container in a manner that is transparent to the enterprise
beans business methods. The security API described in this section should be
used only in the less frequent situations in which the enterprise bean business
methods need to access the security context information.”
</p><p>The EJB 1.1 custom security api consists of the following two
javax.ejb.EJBContext interface methods:</p><div class="itemizedlist"><ul><li><p><a name="d0e6172"></a>java.security.Principal getCallerPrincipal()</p></li><li><p><a name="d0e6175"></a>boolean isCallerInRole(java.lang.String roleName)</p></li></ul></div><p>Using these methods along with custom code you can add any type
of security validation to your EJB. When using the isCallerInRole there must be
a security-role-ref element in the ejb-jar deployment descriptor for all the
security role names used in the enterprise bean code. Declaring the security
roles references in the code allows the application assembler or deployer to
link the names of the security roles used in the code to the security roles
defined for an assembled application through the security-role elements. A
role-link element must be used even if the value of role-name is the same as
the value of the role-link reference. The following EJB 1.1 spec deployment
descriptor example shows how to link the security role reference named payroll
to the security role named payroll-department.</p><div class="example"><p><a name="d0e6180"></a><b>Example 9.3. Sample security-role-ref Element Usage </b></p><pre class="programlisting">
...
<enterprise-beans>
...
<entity>
<ejb-name>AardvarkPayroll</ejb-name>
<ejb-class>com.aardvark.payroll.PayrollBean</ejb-class>
...
<security-role-ref>
<description>
This role should be assigned to the employees of the payroll department.
Members of this role have access to anyone’s payroll record.
The role has been linked to the payroll-department role.
</description>
<role-name>payroll</role-name>
<role-link>payroll-department</role-link>
</security-role-ref>
...
</entity>
...
</enterprise-beans>
...
</pre></div><p>A problem with this approach is that security tends to move
independent of the application business logic, and it is a function of the
deployment environment. The JBossSX framework provides a solution to custom
security problem in a manner that is transparent to the enterprise beans
business methods. This allows security logic to change independent of the
business logic and the security layer can be selected at deployment time to fit
operational environment.</p></div><div class="section"><a name="sx.security-proxy"></a><div class="titlepage"><div><h4 class="title"><a name="sx.security-proxy"></a>The JBossSX Security Proxy Model</h4></div></div><p>The custom security solution that the JBossSX framework offers is an extension of the method interceptor paradigm. We will see the details of this in <a href="ch09s08.html" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/ch09s08.html" title="The JBoss Security Model">the section called “The JBoss Security Model”</a>. The concept of the security proxy is an implementation of the “protection proxy” form of the Proxy pattern described in the <i>Design Patterns</i> book. The security proxy model allows for development of an implementation of the business object remote or home interface whose sole responsibility is the implementation of the per-method security logic. This implementation object is the security proxy. The container method interceptors first dispatch home and remote method invocations to the security proxy for custom security logic validation. If the security requirements are satisfied, the method invocation is dispatched to the business logic EJB. If the security requirements are not satisfied, a security exception is raised and the method invocation is halted.</p></div></div></div><table border="0" cellpadding="0" cellspacing="0" height="65"><tr height="65"><td rowspan="2"><img src="gbar.gif" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/gbar.gif" width="432" height="79"></td><td rowspan="2" background="gbar.gif" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/gbar.gif" width="100%" align="right" valign="top"><a href="index.html" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/index.html"><img src="doc.gif" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/doc.gif" border="0"></a><a href="ch09.html" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/ch09.html"><img src="toc.gif" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/toc.gif" border="0"></a><a href="ch09.html" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/ch09.html"><img src="prev.gif" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/prev.gif" border="0"></a><a href="ch09s08.html" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/ch09s08.html"><img src="next.gif" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/next.gif" border="0"></a></td></tr><tr></tr></table></body></html>⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -