introspection of the J2EE role of session beans


EJB programming & troubleshooting: introspection of the J2EE role of session beans

  1. Is there any way to introspect on a given Remote Interface SessionBean method and discover the role that has been associated with it in a portable way?

    The only current way I can think of is to read and parse the ejb-jar. Does the JNDI environment duplicate such information?
  2. So far as I know, parsing the ejb-jar.xml file or using some server admin utility is the only way to gain this information.

    Personally, I would have serious security concerns about an service that advertised what permissions you needed to access it. Most security framework I know of don't publicize this kind of information.
  3. I don't intended advertising the roles. What I'm trying to achieve is a generic way for the UI components to test whether the caller can perform some logic.

    The current pattern we use is to create a dummy method which contains no logic but is tagged with the same roles that are necessary to complete some UI functionality. The UI then attempts to access that SLSB method as part of its pre-condition checks. If it gets a security violation then the GUI can fail before the user has potentially entered a lengthy batch of updates.

    Do you know of a better pattern?
  4. Well ... you could an AccessChecker Session EJB with a method like this:

    boolean canAccessMethod(String role, Class ejb, String method);

    This Session EJB (which is on the server) should be able to access and parse the ejb-jar.xml files. Or, better yet, you can incorporate a feature in your automated build that pre-process all your ejb-jar.xml files and stores all the role-related information in a single XML file.

    I don't know if that will be much better than what you are doing now, though.