Show Table of Contents
11.2. EJB Application Security
11.2.1. Security Identity
11.2.1.1. About EJB Security Identity
An EJB can specify an identity to use when invoking methods on other components. This is the EJB's security identity (also known as invocation identity).
By default, the EJB uses its own caller identity. The identity can alternatively be set to a specific security role. Using specific security roles is useful when you want to construct a segmented security model - for example, restricting access to a set of components to internal EJBs only.
11.2.1.2. Set the Security Identity of an EJB
The security identity of the EJB is specified through the
<security-identity> tag in the security configuration.
By default - if no
<security-identity> tag is present - the EJB's own caller identity is used.
Example 11.3. Set the security identity of an EJB to be the same as its caller
This example sets the security identity for method invocations made by an EJB to be the same as the current caller's identity. This behavior is the default if you do not specify a
<security-identity> element declaration.
<ejb-jar> <enterprise-beans> <session> <ejb-name>ASessionBean</ejb-name> <!-- ... --> <security-identity> <use-caller-identity/> </security-identity> </session> <!-- ... --> </enterprise-beans> </ejb-jar>
Example 11.4. Set the security identity of an EJB to a specific role
To set the security identity to a specific role, use the
<run-as> and <role-name> tags inside the <security-identity> tag.
<ejb-jar> <enterprise-beans> <session> <ejb-name>RunAsBean</ejb-name> <!-- ... --> <security-identity> <run-as> <description>A private internal role</description> <role-name>InternalRole</role-name> </run-as> </security-identity> </session> </enterprise-beans> <!-- ... --> </ejb-jar>
By default, when you use
<run-as>, a principal named anonymous is assigned to outgoing calls. To assign a different principal, uses the <run-as-principal>.
<session>
<ejb-name>RunAsBean</ejb-name>
<security-identity>
<run-as-principal>internal</run-as-principal>
</security-identity>
</session>
Note
You can also use the
<run-as> and <run-as-principal> elements inside a servlet element.
See also:
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.