I'm developing a Java EE 6 application using Glassfish 3.1, B06. To secure my app, i'm using a JDBCRealm and programmatic security. This works fine to check username and password. But when it comes to declaring security roles, i have a problem:
To use Security Roles in Java EE 6, i have to declare those roles both in the EJB deployment descriptor and in the Glassfish-specific deployment descriptor to link those roles (as explained in the JEE6-tutorial) Only than i can use the method isCallerInRole(String roleRef) inside an EJB to check permissions.
This is not desirable for my application, as i want that its possible to add Security roles both dynamically and programmatically, without having to write XML files (and for example make it possible to define role names in a database).
I just debugged through the GF3-source code and saw the implementation of isCallerInRole in com.sun.ejb.containers.EjbContextImpl. There the container gets the roles out of the EJB descriptor:
public boolean isCallerInRole(String roleRef) {
(...)
EjbDescriptor ejbd = container.getEjbDescriptor();
RoleReference rr = ejbd.getRoleReferenceByName(roleRef);
(...)
}
I looked around and found out that if i could somehow get the EJB descriptor inside my application, i could add a role like this:
EjbDescriptor ejbd = //??? Can i use that descriptor inside my app, or is that "forbidden"?
RoleReference rr = new RoleReference("admin", "Admins are allowed to do everything");
ejbd.addRoleReference(rr);
Anyone did something like this, or got some thoughts about it? Is it possible to use the Ejb deployment descriptor inside my application? Or are there better approaches?
P.S. or should i use MBeans to add Roles? Found a quite related post here.