Component's Propagated Security Identity

<< EJB container | Trust between Containers >>

Component's Propagated Security Identity

Configuring a Component's Propagated Security Identity

You can configure an enterprise bean's run-as, or propagated, security identity using either of
the following:

The @RunAs annotation

The following example illustrates the definition of a run-as identity using annotations:

@RunAs(

"admin")

@Stateless public class EmployeeServiceBean

implements EmployeeService {

...

}

The role-name element of the run-as application deployment descriptor element (web.xml,
ejb-jar.xml

)

The following example illustrates the definition of a run-as identity using deployment
descriptor elements:

...

<enterprise-beans>

...

<ejb-name>EmployeeService</ejb-name>

...

<security-identity>

<run-as>

<role-name>admin</role-name>

</run-as>

</security-identity>

...

</session>

...

</enterprise-beans>

...

Alternately, you can use the use-caller-identity element to indicate that you want to use the
identity of the original caller, as shown in the code below:

<security-identity>

<use-caller-identity />

</security-identity>

You must explicitly specify the run-as role name mapping to a given principal in sun-web.xml
or sun-ejb-jar.xml if the given roles associate to more than one user principal.

More detail about the elements contained in deployment descriptors is available in the Sun Java
System Application Server 9.1 Application Deployment Guide.

Securing Enterprise Beans

The Java EE 5 Tutorial · September 2007

814