JBoss.org Community Documentation
The EJB 3.0 specification has made the XML deployment descriptors optional. This tutorial goes over how to use the transaction and security annotations of EJB 3.0.
Using transactions is easy, just use the <listing>javax.ejb.TransactionAttribute</listing> annotation.
The javax.ejb.TransactionAttributeType enum has every transactional type. Here's an example
for using REQUIRES_NEW transaction type:
@TransactionAttribute(TransactionAttributeType.REQUIRES_NEW)
public int add(int x, int y)
{
return x + y;
}
Take a look at <listing>org.jboss.tutorial.security.bean.CalculatorBean</listing>. The @javax.annotation.security.RolesAllowed
and @javax.annotation.security.PermitAll are the EJB 3.0 security annotations. You can attach a method permission to any method
and define which roles are allowed to invoke on that method. The javax.ejb.RunAs annotation can also be applied at the class
level. There is also an additional JBoss specific annotation that you must supply at the class level @org.jboss.ejb3.annotation.SecurityDomain.
The @SecurityDomain specifies the JAAS application-policy name which will be used by JBoss to authenticate and authorize.
See the JBoss Application Server documentation for more details. In this particular example, the "other" domain is used.
The "other" domain corresponds to a users.properties and roles.properties files that contain cleartext user, password, and user/role associations.
If you open the tutorial jar file you will see these two files in there.
Open up org.jboss.tutorial.security.client.Client. You'll see that it looks up the stateless bean.
Also notice that there is no Home interface and you can begin executing on the stateless bean right away.
The client uses a JBoss's SecurityClient class to pass the user name and password:
import org.jboss.security.client.SecurityClient;
import org.jboss.security.client.SecurityClientFactory;
SecurityClient securityClient = SecurityClientFactory.getSecurityClient();
securityClient.setSimple("kabir", "invalidpassword");
securityClient.login();
See the documentation of org.jboss.security.client.SecurityClient for more options
To build and run the example, make sure you have installed JBoss 5.x. See the Section 1.1, “JBoss Application Server 5.x” for details.
From the command prompt, move to the "security" folder under the Section 1.3, “Set the EJB3_TUTORIAL_HOME”
Make sure your JBossAS-5.x is running
$ ant
$ ant run
run:
[java] Kabir is a student.
[java] Kabir types in the wrong password
[java] Authentication exception, principal=kabir
[java] Kabir types in correct password.
[java] Kabir does unchecked addition.
[java] 1 + 1 = 2
[java] Kabir is not a teacher so he cannot do division
[java] Insufficient method permissions, principal=kabir, interface=org.jboss.ejb3.EJBContainerInvocation, requiredRoles=[teacher], principalRoles=[student]
[java] Students are allowed to do subtraction
[java] 1 - 1 = 0
$ mvn clean install
If you want to change the roles for the user, through the roles.properties, you will have to restart the server, for the role changes to take effect. This is because by default JBoss caches the roles for a user and until the cache is flushed, either through this configuration or through server restart, the changes won't take effect.