background image

Using the RunAs Annotation

<< Declaring Security Requirements | Using Deployment Descriptor >>
<< Declaring Security Requirements | Using Deployment Descriptor >>

Using the RunAs Annotation

@DeclareRoles(
"BusinessAdmin")
public class CalculatorServlet {
//...
}
Specifying @DeclareRoles("BusinessAdmin") is equivalent to defining the following in
web.xml
:
<web-app>
<security-role>
<role-name>BusinessAdmin</role-name>
</security-role>
</web-app>
The syntax for declaring more than one role is as shown in the following example:
@DeclareRoles({
"Administrator", "Manager", "Employee"})
This annotation is not used to link application roles to other roles. When such linking is
necessary, it is accomplished by defining an appropriate security-role-ref in the associated
deployment descriptor, as described in
"Declaring and Linking Role References" on page 846
.
When a call is made to isUserInRole from the annotated class, the caller identity associated
with the invocation of the class is tested for membership in the role with the same name as the
argument to isUserInRole. If a security-role-ref has been defined for the argument
role-name
, the caller is tested for membership in the role mapped to the role-name.
For further details on the @DeclareRoles annotation, refer to JSR­250,
Common Annotations
for the Java Platform (http://www.jcp.org/en/jsr/detail?id=250)
, and
"Using Enterprise
Bean Security Annotations" on page 815
in this tutorial.
Using the @RunAs Annotation
The @RunAs annotation defines the role of the application during execution in a Java EE
container. It can be specified on a class, allowing developers to execute an application under a
particular role. The role must map to the user/group information in the container's security
realm. The value element in the annotation is the name of a security role of the application
during execution in a Java EE container. The use of the @RunAs annotation is discussed in more
detail in
"Propagating Security Identity" on page 812
.
The following is an example that uses the @RunAs annotation:
@RunAs(
"Admin")
public class CalculatorServlet {
@EJB private ShoppingCart myCart;
public void doGet(HttpServletRequest, req, HttpServletResponse res) {
//....
Defining Security Requirements for Web Applications
The Java EE 5 Tutorial · September 2007
850