Specifying Security Roles Using Annotations
Specifying Security Roles Using Annotations
A security role reference, including the name defined by the reference, is scoped to the
component whose class contains the @DeclareRoles annotation or whose deployment
descriptor element contains the security-role-ref deployment descriptor element.
You can also use the security-role-ref elements for those references that were declared in
annotations and you want to have linked to a security-role whose name differs from the
reference value. If a security role reference is not linked to a security role in this way, the
container must map the reference name to the security role of the same name. See
for a description of how security role references are
linked to security roles.
For an example using each of these methods, read the following sections:
Specifying Security Roles Using Annotations
Annotations are the best way to define security roles on a class or a method. The
@DeclareRoles
annotation is used to define the security roles that comprise the security model
of the application. This annotation is specified on a class, and it typically would be used to
define roles that could be tested (for example, by calling isUserInRole) from within the
methods of the annotated class.
Following is an example of how this annotation would be used. In this example, employee is the
only security role specified, but the value of this parameter can include a list of security roles
specified by the application.
@DeclareRoles(
"employee")
public class CalculatorServlet {
//...
}
Specifying @DeclareRoles("employee") is equivalent to defining the following in the web.xml:
<security-role>
<role-name>employee</role-name>
</security-role>
This annotation is not used to link application roles to other roles. When such linking is
necessary, it is accomplished by defining an appropriate security-role-ref in the associated
deployment descriptor, as described in
When a call is made to isUserInRole from the annotated class, the caller identity associated
with the invocation of the class is tested for membership in the role with the same name as the
argument to isUserInRole. If a security-role-ref has been defined for the argument
role-name
, the caller is tested for membership in the role mapped to the role-name.
Working with Security Roles
The Java EE 5 Tutorial · September 2007
842
