EJB 3.1 Cookbook
Build real world EJB solutions with a collection of simple but incredibly effective recipes with this book and eBook
The recipes in this article are based largely around a conference registration application as developed in the first recipe of the previous article on Introduction to Interceptors. It will be necessary to create this application before the other recipes in this article can be demonstrated.
Using interceptors to enforce security
While security is an important aspect of many applications, the use of programmatic security can clutter up business logic. The use of declarative annotations has come a long way in making security easier to use and less intrusive. However, there are still times when programmatic security is necessary. When it is, then the use of interceptors can help remove the security code from the business logic.
Getting ready
The process for using an interceptor to enforce security involves:
- Configuring and enabling security for the application server
- Adding a @DeclareRoles to the target class and the interceptor class
- Creating a security interceptor
How to do it…
Configure the application to handle security as detailed in Configuring the server to handle security recipe. Add the @DeclareRoles(“employee”) to the RegistrationManager class.
Add a SecurityInterceptor class to the packt package. Inject a SessionContext object into the class. We will use this object to perform programmatic security. Also use the @DeclareRoles annotation.
Next, add an interceptor method, verifyAccess, to the class. Use the SessionContext object and its isCallerInRole method to determine if the user is in the “employee” role. If so, invoke the proceed method and display a message to that effect. Otherwise, throw an EJBAccessException.
@DeclareRoles(“employee”)
public class SecurityInterceptor {
@Resource
private SessionContext sessionContext;
@AroundInvoke
public Object verifyAccess(InvocationContext context) throws
Exception {
System.out.println(“SecurityInterceptor: Invoking method: ” +
context.getMethod().getName());
if (sessionContext.isCallerInRole(“employee”)) {
Object result = context.proceed();
System.out.println(“SecurityInterceptor: Returned from method: ”
+ context.getMethod().getName());
return result;
} else {
throw new EJBAccessException();
}
}
}
Execute the application. The user should be prompted for a username and password as shown in the following screenshot. Provide a user in the employee role.
The application should execute to completion.
Depending on the interceptors in place, you will console output similar to the following:
INFO: Default Interceptor: Invoking method: register
INFO: SimpleInterceptor entered: register
INFO: SecurityInterceptor: Invoking method: register
INFO: InternalMethod: Invoking method: register
INFO: register
INFO: Default Interceptor: Invoking method: create
INFO: Default Interceptor: Returned from method: create
INFO: InternalMethod: Returned from method: register
INFO: SecurityInterceptor: Returned from method: register
INFO: SimpleInterceptor exited: register
INFO: Default Interceptor: Returned from method: register
How it works…
The @DeclareRoles annotation was used to specify that users in the employee role are associated with the class. The isCallerInRole method checked to see if the current user is in the employee role. When the target method is called, if the user is authorized then the InterceptorContext‘s proceed method is executed. If the user is not authorized, then the target method is not invoked and an exception is thrown.
See also
