Use EJB Security Annotations


You can use either XML descriptors or annotations to control which security roles are able to call methods in your Enterprise JavaBeans (EJBs). For information on using XML descriptors, refer to Section, “Use EJB Method Permissions”.

Annotations for Controlling Security Permissions of EJBs

Use @DeclareRoles to define which security roles to check permissions against. If no @DeclareRoles is present, the list is built automatically from the @RolesAllowed annotation.
Specifies the security domain to use for the EJB. If the EJB is annotated for authorization with @RolesAllowed, authorization will only apply if the EJB is annotated with a security domain.
@RolesAllowed, @PermitAll, @DenyAll
Use @RolesAllowed to list which roles are allowed to access a method or methods. Use @PermitAll or @DenyAll to either permit or deny all roles from using a method or methods.
Use @RunAs to specify a role a method will always be run as.

Example 15.10. Security Annotations Example

public class WelcomeEJB implements Welcome {
	public String WelcomeEveryone(String msg) {
		return "Welcome to " + msg;
	public String GoodBye(String msg) {
	    return "Goodbye, " + msg;
	public String GoodbyeAdmin(String msg) {
		return "See you later, " + msg;
In this code, all roles can access method WelcomeEveryone. The GoodBye method uses the tempemployee role when making calls. Only the admin role can access method GoodbyeAdmin, and any other methods with no security annotation.