Declarative security
Security view
set of roles
semantic grouping of permissions
each have method permissions
logic roles, representing a type of user
Method permission
Can be specified on class and business methods
Specification on methods override that on class
@DeclareRoles - declare roles, and the application uses all the roles declared anywhere
@DeclareRoles("RoleName1") public class BeanOne
@DeclareRoles({"RoleName1","RoleName2","RoleName3"}) public class BeanTwo
@RolesAllowed
@PermitAll
@DenyAll
Programmatic security
@Resource SessionContext ctx; .....
callerPrincipal = ctx.getCallerPrincipal();
callerKey = callerPrincipal.getName();
ctx.isCallerInRole("payroll")
Propagating Security ID (Run As)
"Run as" does not change the caller to a bean, but what id the bean uses to call
@RunAs("RoleName")