Show Table of Contents
13.4. EJB Application Security
13.4.1. Security Identity
13.4.1.1. About EJB Security Identity
The security identity, which is also known as invocation identity, refers to the
<security-identity> tag in the security configuration. It refers to the identity another EJB must use when it invokes methods on components.
The invocation identity can be either the current caller, or it can be a specific role. In the first case, the
<use-caller-identity> tag is present, and in the second case, the <run-as> tag is used.
For information about setting the security identity of an EJB, refer to Section 13.4.1.2, “Set the Security Identity of an EJB”.
13.4.1.2. Set the Security Identity of an EJB
Example 13.4. Set the security identity of an EJB to be the same as its caller
This example sets the security identity for method invocations made by an EJB to be the same as the current caller's identity. This behavior is the default if you do not specify a
<security-identity> element declaration.
<ejb-jar> <enterprise-beans> <session> <ejb-name>ASessionBean</ejb-name> <!-- ... --> <security-identity> <use-caller-identity/> </security-identity> </session> <!-- ... --> </enterprise-beans> </ejb-jar>
Example 13.5. Set the security identity of an EJB to a specific role
To set the security identity to a specific role, use the
<run-as> or <role> tags inside the <security-identity> tag.
<ejb-jar> <enterprise-beans> <session> <ejb-name>RunAsBean</ejb-name> <!-- ... --> <security-identity> <run-as> <description>A private internal role</description> <role-name>InternalRole</role-name> </run-as> </security-identity> </session> </enterprise-beans> <!-- ... --> </ejb-jar>
By default, when you use
<run-as>, a principal named anonymous is assigned to outgoing calls. To assign a different principal, uses the <run-as-principal>.
<session>
<ejb-name>RunAsBean</ejb-name>
<security-identity>
<run-as-principal>internal</run-as-principal>
</security-identity>
</session>
Note
You can also use the
<run-as> and <run-as-principal> elements inside a servlet element.
See also:
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.