Using @runas in EJB 3.0
Today I implemented a EJB where I used the @runas annotation the first time.
This annotation allows you to skip over the security settings in your EJB module. I use the Imixs IX JEE Workflow so I have to deal with the workflow IX Workflow roles. My new EJB should create a new workflow task triggered by a not authenticated user (anonymous). So my EJB need the workflow role "org.imixs.ACCESSLEVEL.AUTHORACCESS" to get access to the workflow model and the grant to create a new workitem. This can be decleared by the @runas annotation in the EJB implemenation
package org.imixs.business;
....
@Stateless
@DeclareRoles( { "org.imixs.ACCESSLEVEL.AUTHORACCESS" })
@RunAs("org.imixs.ACCESSLEVEL.AUTHORACCESS")
public class ContactServiceBean implements ContactService {
// Workflow Manager
@EJB
org.imixs.workflow.jee.ejb.WorkflowManager wm;
ItemCollection workItem = null;
/**
* This method creates a new Contact worktiem.
*/
public ItemCollection create() throws Exception {
// create emtpy workitem
workItem = wm.createWorkItem(INITIAL_PROCESS);
workItem.replaceItemValue("type", "contact");
return workItem;
}
.....
}
Next it is necessary (I am running on Glassfish server) to add a User Principal to the sun-ejb-jar.xml and also declare the pricipal:
sun-ejb-jar.xml:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-ejb-jar PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 9.0 EJB 3.0//EN" "http://www.sun.com/software/appserver/dtds/sun-ejb-jar_3_0-0.dtd">
<sun-ejb-jar>
<security-role-mapping>
<role-name>org.imixs.ACCESSLEVEL.READERACCESS</role-name>
<principal-name>org.imixs.ACCESSLEVEL.READERACCESS</principal-name>
</security-role-mapping>
<security-role-mapping>
<role-name>org.imixs.ACCESSLEVEL.AUTHORACCESS</role-name>
<principal-name>org.imixs.ACCESSLEVEL.AUTHORACCESS</principal-name>
</security-role-mapping>
<security-role-mapping>
<role-name>org.imixs.ACCESSLEVEL.EDITORACCESS</role-name>
<principal-name>org.imixs.ACCESSLEVEL.EDITORACCESS</principal-name>
</security-role-mapping>
<security-role-mapping>
<role-name>org.imixs.ACCESSLEVEL.MANAGERACCESS</role-name>
<group-name>IMIXS-WORKFLOW-Manager</group-name>
<principal-name>WorkflowScheduler</principal-name>
</security-role-mapping>
<enterprise-beans>
<ejb>
<ejb-name>ContactServiceBean</ejb-name>
<jndi-name>ejb/ShareyourworkContactServiceBean</jndi-name>
<principal><name>WorkflowScheduler</name></principal>
</ejb>
</enterprise-beans>
</sun-ejb-jar>
Now the principal "WorkflowScheduler" is named as a principal in my EJB declaration and is mapped to the role "org.imixs.ACCESSLEVEL.MANAGERACCESS" this user will be able to call my EJB methods. As this role is declared as a @runas role in my contactEJB the principal "WorkflowScheduler" will be used by the EJB container to run the methods in my ejb.
Posted at 11:51AM Apr 15, 2009
Posted by: Ralph
Category: General