EJB - Security


Security is a major concern of any enterprise level application. It includes identification of user(s) or system accessing the application and allowing or denying the access to resources within the application. In EJB, security can be declared in declarative way called declarative security in which EJB container manages the security concerns or Custom code can be done in EJB to handle security concern by self.

Important Terms of Security

  • Authentication - This is the process ensuring that user accessing the system or application is verified to be authentic.

  • Authorization - This is the process ensuring that authentic user has right level of authority to access system resources.

  • User - User represents the client or system accessing the application.

  • User Groups - Users may be part of group having certain authorities for example administrator's group.

  • User Roles - Roles defines the level of authority a user have or permissions to access a system resource.

Container Managed Security

EJB 3.0 has specified following attributes/annotations of security which EJB containers implement.

  • DeclareRoles - Indicates that class will accept those declared roles. Annotations are applied at class level.

  • RolesAllowed - Indicates that a method can be accessed by user of role specified. Can be applied at class level resulting which all methods of class can be accessed buy user of role specified.

  • PermitAll - Indicates that business method is accessible to all. Can be applied at class as well as at method level.

  • DenyAll - Indicates that business method is not accessible to any of user specified at class or at method level.


package com.tutorialspoint.security.required;
import javax.ejb.*
@DeclareRoles({"student" "librarian"})
public class LibraryBean implements LibraryRemote {

   public void delete(Book book){
	  //delete book
   public void viewBook(Book book){
      //view book
   public void deleteAll(){
      //delete all books

Security Configuration

Map roles and user groupd in configuration file.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-ejb-jar PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 9.0 EJB 3.0//EN" "http://www.sun.com/software/appserver/dtds/sun-ejb-jar_3_0-0.dtd">