EJB - Security

Security is a major concern of any enterprise level application. It includes identification of user(s) or system accessing the application. Based on identification, it allows or denies the access to resources within the application. An EJB container manages standard security concerns or it can be customized to handle any specific security concerns.

Important Terms of Security

  • Authentication − This is the process ensuring that user accessing the system or application is verified to be authentic.

  • Authorization − This is the process ensuring that authentic user has right level of authority to access system resources.

  • User − User represents the client or system, which accesses the application.

  • User Groups − Users may be part of the group having certain authorities For example administrator's group.

  • User Roles − Roles define the level of authority, a user have or permissions to access a system resource.

Container Managed Security

EJB 3.0 has specified following attributes/annotations of security, which EJB containers implement.

  • DeclareRoles − Indicates that class will accept the declared roles. Annotations are applied at class level.

  • RolesAllowed − Indicates that a method can be accessed by user of role specified. Can be applied at class level resulting which all methods of class can be accessed buy user of role specified.

  • PermitAll − Indicates that a business method is accessible to all. It can be applied at class as well as at method level.

  • DenyAll − Indicates that a business method is not accessible to any of the user specified at class or at method level.


package com.tutorialspoint.security.required;
import javax.ejb.*
@DeclareRoles({"student" "librarian"})
public class LibraryBean implements LibraryRemote {

   public void delete(Book book) {
	  //delete book
   public void viewBook(Book book) {
      //view book
   public void deleteAll() {
      //delete all books

Security Configuration

Map roles and user groupd in configuration file.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-ejb-jar PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 9.0 EJB 3.0//EN" "http://www.sun.com/software/appserver/dtds/sun-ejb-jar_3_0-0.dtd">