0 Replies Latest reply on Oct 2, 2016 12:21 PM by 886274

    Local EJB security

    886274

      Hi,

       

      I have RESTful web service

       

      @Path("/education")
      public class EducationRest {
          
          @EJB
          private EducationBean service;
          
          @GET
          @Path("/readAll")
          @Produces({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON})
          public List<EducationDTO> read() throws NamingException {
              return service.readAllEducations();
          }
      ...
      

       

      and web.xml security constraints

       

      ...
      <security-role>
          <role-name>admin</role-name>
      </security-role>
      <security-constraint>
          <web-resource-collection>
              <web-resource-name>Administrator permissions</web-resource-name>
              <url-pattern>/education/*</url-pattern>
          </web-resource-collection>
          <auth-constraint>
               <role-name>admin</role-name>
          </auth-constraint>
      </security-constraint>
      ...
      
      

       

      Do I have to specify security constraints again in the ejb-jar.xml for every local EJB or local beans can be unchecked(@PermitAll)?

       

      @Stateless
      public class EducationBean {
        ...
        public List<EducationDTO> readAllEducations(){
          ...
        }
      }
      
      ...
      <assembly-descriptor>
                  <method-permission>
                      <role-name>admin</role-name>
                      <method>
                          <ejb-name>EducationBean</ejb-name>
                          <method-name>*</method-name>
                      </method>
                  </method-permission>
              </assembly-descriptor>
      ...
      

       

      Thank you,

      Dragan.