Login | Register   
RSS Feed
Download our iPhone app
Browse DevX
Sign up for e-mail newsletters from DevX


Try Declarative Programming with Annotations and Aspects : Page 3

Learn how to combine the power of annotations with aspects to provision enterprise services declaratively, in an EJB 3.0-compatible manner, while still providing container independence.




Application Security Testing: An Integral Part of DevOps

In addition to resource injection, JSR 250 and EJB 3.0 also provide for the expression of security metadata via annotations. The javax.annotation.security package defines five annotations—RunAs, RolesAllowed, PermitAll, DenyAll, and RolesReferenced—all of which can be applied to methods to define security requirements. For example, if you wanted to declare that the bookFlight method listed above could be executed only by callers with the role "user," then you could annotate that method with that security restriction as follows:

public class TravelAgencyServiceImpl implements ITravelAgencyService { @Resource(name = "flightDAO") public IFlightDAO flightDAO; @RolesAllowed("user") public void bookTrip(long outboundFlightID, long returnFlightID, int seats) throws InsufficientSeatsException { reserveSeats(outboundFlightID, seats); reserveSeats(returnFlightID, seats); } }

This annotation would signal that the container is responsible for ensuring that only callers with the specified role can execute the method. So now I will show another simple aspect that will enforce this security constraint on the application:

@Aspect public class SecurityAspect { @Around("execution(@javax.annotation.security.RolesAllowed * *.*(..))") public Object aroundSecuredMethods(ProceedingJoinPoint thisJoinPoint) throws Throwable { boolean callerAuthorized = false; RolesAllowed rolesAllowed = rolesAllowedForJoinPoint(thisJoinPoint); for (String role : rolesAllowed.value()) { if (callerInRole(role)) { callerAuthorized = true; } } if (callerAuthorized) { return thisJoinPoint.proceed(); } else { throw new RuntimeException( "Caller not authorized to perform specified function"); } } private RolesAllowed rolesAllowedForJoinPoint(ProceedingJoinPoint thisJoinPoint) { MethodSignature methodSignature = (MethodSignature) thisJoinPoint.getSignature(); Method targetMethod = methodSignature.getMethod(); return targetMethod.getAnnotation(RolesAllowed.class); } private boolean callerInRole(String role) { ... } }

This aspect surrounds all executions of methods annotated with the @RolesAllowed annotation and ensures that the caller is authorizes to invoke the method by verifying that the caller is in one of the roles specified in the annotation. You can of course substitute any algorithm you would like to authorize the user and retrieve his or her roles such as JAAS or a custom solution. In the example code I decided to delegate to the servlet container for convenience.

Comment and Contribute






(Maximum characters: 1200). You have 1200 characters left.



Thanks for your registration, follow us on our social networks to keep up-to-date