JBoss.org Community Documentation

Chapter 27. Introduction to Security and Transactions in EJB3

The EJB 3.0 specification has made the XML deployment descriptors optional. This tutorial goes over how to use the transaction and security annotations of EJB 3.0.

Transactions :

Using transactions is easy, just use the <listing>javax.ejb.TransactionAttribute</listing> annotation. The javax.ejb.TransactionAttributeType enum has every transactional type. Here's an example for using REQUIRES_NEW transaction type:

public int add(int x, int y)
   return x + y;


Security :

Take a look at org.jboss.tutorial.security.bean.CalculatorBean. The @javax.annotation.security.RolesAllowed and @javax.annotation.security.PermitAll are the EJB 3.0 security annotations. You can attach a method permission to any method and define which roles are allowed to invoke on that method. The javax.ejb.RunAs annotation can also be applied at the class level. There is also an additional JBoss specific annotation that you must supply at the class level @org.jboss.ejb3.annotation.SecurityDomain. The @SecurityDomain specifies the JAAS application-policy name which will be used by JBoss to authenticate and authorize. See the JBoss Application Server documentation for more details. In this particular example, the "other" domain is used. The "other" domain corresponds to a users.properties and roles.properties files that contain cleartext user, password, and user/role associations. If you open the tutorial jar file you will see these two files in there.

Client :

Open up org.jboss.tutorial.security.client.Client. You'll see that it looks up the stateless bean. Also notice that there is no Home interface and you can begin executing on the stateless bean right away. The client uses a JBoss's SecurityClient class to pass the user name and password:

import org.jboss.security.client.SecurityClient;
import org.jboss.security.client.SecurityClientFactory;

SecurityClient securityClient = SecurityClientFactory.getSecurityClient();
securityClient.setSimple("kabir", "invalidpassword");


See the documentation of org.jboss.security.client.SecurityClient for more options

Building and Running

From the command prompt, move to the "security" folder under the Section 1.3, “Set the EJB3_TUTORIAL_HOME”

Ant Users:

Make sure your JBossAS-5.x is running

$ ant
$ ant run

     [java] Kabir is a student.
     [java] Kabir types in the wrong password
     [java] Authentication exception, principal=kabir
     [java] Kabir types in correct password.
     [java] Kabir does unchecked addition.
     [java] 1 + 1 = 2
     [java] Kabir is not a teacher so he cannot do division
     [java] Insufficient method permissions, principal=kabir, interface=org.jboss.ejb3.EJBContainerInvocation, requiredRoles=[teacher], principalRoles=[student]
     [java] Students are allowed to do subtraction
     [java] 1 - 1 = 0


Maven Users: Make sure the AS is not running.

$ mvn clean install -PRunSingleTutorial


If you want to change the roles for the user, through the roles.properties, you will have to restart the server, for the role changes to take effect. This is because by default JBoss caches the roles for a user and until the cache is flushed, either through this configuration or through server restart, the changes won't take effect.