| ||
If OC4J can map every application role referenced in ejb-jar.xml directly to a physical group with the same name , then the security elements in the following example aren't necessary. However, for portability, backward compatibility, future security, and other considerations, it's usually more appropriate to explicitly map application roles to actual users and groups using a <security-role-mapping> .
For example, if the ejb-jar.xml contains the following assembly-descriptor :
<assembly-descriptor> <security-role> <description>Allowed to check inventory</description> <role-name>inventory</role-name> </security-role> <method-permission> <role-name>inventory</role-name> <method> <ejb-name>ProductManager</ejb-name> <method-name>checkInventory</method-name> </method> </method-permission> </assembly-descriptor>
Now you can map the Inventory role to one or more specific groups and users within orion-ejb-jar .xml , as follows :
<assembly-descriptor> <security-role-mapping name="inventory"> <group name="InventoryManagers" /> <group name="Pickers" /> </security-role-mapping> </assembly-descriptor>
The <assembly-descriptor> element may contain the following elements listed in Table 11-21.
Parameter | Description | Default Value |
---|---|---|
security-role-mapping | Maps a J2EE application role to one or more users and groups known to the UserManager . | |
security-role-mapping: impliesAll | If true, all users are assumed to have this role. If false, individual users and groups should be specified using the < user > and <group> elements. | false |
security-role-mapping:name | The name of the role as specified in ejb-jar.xml . | |
Group | Allows the assignment of a role to a group of users. | |
group:name | Name of the group that should be given this role. | |
User | Allows the assignment of a role to an individual user. | |
user:name | ||
default-method-access | The security settings for methods that aren't included in a method-permission in the ejb-jar.xml . This element contains a security-role-mapping with an impliesAll attribute. If impliesAll is set to true, then all users will be assumed to have that role and thus any methods without security settings will be accessible by all. If set to false, then callers must have the default role specified. |
| ||