SCBCD Study Notes : Chapter 14 Security Management (Part 4)
Please find the Study Notes and resources which covers 4th Part of Chapter 14 : Security Management , as part of the Sun Certified Business Component Developer exam CX-310-090.
Given a security-related deployment descriptor tag, identify correct and incorrect statements and code related to that tag.
Chapter 14 Security Management (Part 4)
Given a security-related deployment descriptor tag, identify correct and incorrect statements and code related to that tag.
The following example illustrates a security role definition (made by Application Assembler) in a deployment descriptor:
< assembly-descriptor >
< security-role >
< description >
This role includes the employees of the
enterprise who are allowed to access the
employee self-service application. This role
is allowed only to access his/her own
information.
< /description >
< role-name >employee< /role-name >
< /security-role >
< security-role >
< description >
This role includes the employees of the human
resources department. The role is allowed to
view and update all employee records.
< /description >
< role-name >hr-department< /role-name >
< /security-role >
< security-role >
< description >
This role includes the employees of the payroll
department. The role is allowed to view and
update the payroll entry for any employee.
< /description >
< role-name >payroll-department< /role-name >
< /security-role >
< security-role >
< description >
This role should be assigned to the personnel
authorized to perform administrative functions
for the employee self-service application.
This role does not have direct access to
sensitive employee and payroll information.
< /description >
< role-name >admin< /role-name >
< /security-role >
< /assembly-descriptor >
.
|
The following example illustrates how an enterprise bean's references to security roles are declared in the deployment descriptor (defined by Bean Provider):
< enterprise-beans >
...
< entity >
< ejb-name >AardvarkPayroll< /ejb-name >
< ejb-class >com.aardvark.payroll.PayrollBean< /ejb-class >
...
< security-role-ref >
< description >
This security role should be assigned to the
employees of the payroll department who are
allowed to update employees' salaries.
< /description >
< role-name >payroll< /role-name >
< /security-role-ref >
...
< /entity >
...
< /enterprise-beans >
.
|
The deployment descriptor above indicates that the enterprise bean AardvarkPayroll makes the security check using isCallerInRole("payroll") in its business method.
The following deployment descriptor example shows how to link (by Application Assembler) the security role reference named payroll to the security role named payroll-department:
< entity >
< ejb-name >AardvarkPayroll< /ejb-name >
< ejb-class >com.aardvark.payroll.PayrollBean< /ejb-class >
...
< security-role-ref >
< description >
This role should be assigned to the
employees of the payroll department.
Members of this role have access to
anyone's payroll record.
The role has been linked to the
payroll-department role.
< /description >
< role-name >payroll< /role-name >
< role-link >payroll-department< /role-link >
< /security-role-ref >
...
< /entity >
.
|
The following example illustrates how security roles are assigned method permissions (by Application Assembler) in the deployment descriptor:
< assembly-descriptor >
< method-permission >
< role-name >employee< /role-name >
< method >
< ejb-name >EmployeeService< /ejb-name >
< method-name >*< /method-name >
< /method >
< /method-permission >
< method-permission >
< role-name >employee< /role-name >
< method >
< ejb-name >AardvarkPayroll< /ejb-name >
< method-name >findByPrimaryKey< /method-name >
< /method >
< method >
< ejb-name >AardvarkPayroll< /ejb-name >
< method-name >getEmployeeInfo< /method-name >
< /method >
< method >
< ejb-name >AardvarkPayroll< /ejb-name >
< method-name >updateEmployeeInfo< /method-name >
< /method >
< /method-permission >
< method-permission >
< role-name >payroll-department< /role-name >
< method >
< ejb-name >AardvarkPayroll< /ejb-name >
< method-name >findByPrimaryKey< /method-name >
< /method >
< method >
< ejb-name >AardvarkPayroll< /ejb-name >
< method-name >getEmployeeInfo< /method-name >
< /method >
< method >
< ejb-name >AardvarkPayroll< /ejb-name >
< method-name >updateEmployeeInfo< /method-name >
< /method >
< method >
< ejb-name >AardvarkPayroll< /ejb-name >
< method-name >updateSalary< /method-name >
< /method >
< /method-permission >
< method-permission >
< role-name >admin< /role-name >
< method >
< ejb-name >EmployeeServiceAdmin< /ejb-name >
< method-name >*< /method-name >
< /method >
< /method-permission >
< /assembly-descriptor >
|
The following example illustrates the definition of a security-identity identity in the deployment descriptor (by Application Assembler):
.
.
.
.
.
.
.
.
.
|
< enterprise-beans >
< entity >
< ejb-name >Account< /ejb-name >
......
< security-identity >
< description >security description< /description >
< run-as >
< description >role 'accountRole' description< /description >
< role-name >accountRole< /role-name >
< /run-as >
< /security-identity >
< /entity >
< entity >
< ejb-name >Customer< /ejb-name >
......
< security-identity >
< use-caller-identity/ >
< /security-identity >
< /entity >
< /enterprise-beans >
|
NOTE, use-caller-identity cannot be used for message-driven.
________________
Author: Mikalai Zaikin. Please Click Here to visit Authors site for any updates and changes to the study notes.
Trackback(0)
 |
TrackBack URI for this entry
Subscribe to this comment's feed
Show/Hide comments
Show/Hide comment form