You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@geronimo.apache.org by Tim McConnell <ti...@gmail.com> on 2007/04/11 00:44:48 UTC

Security Annotations

Hi, I'm trying to verify that we're properly supporting all the 
javax.annotation.security annotations. Based on my "interpretation" of the 
pertinent specs, this is what I've found relative to what application type 
should support what annotations. If anyone sees anything obviously wrong with my 
interpretation(s) please let me know (especially if I've missed anything 
obvious). Thanks much

EJB security annotations:
	@DeclareRoles
	@RolesAllowed
	@PermitAll
	@DenyAll
	@RunAs

Servlet security annotations
	@DeclareRoles
	@RunAs 		(not exactly sure why, but presumably to propagate a security 
context/identity from a Web container to an EJB 							container and possibly 
for web service endpoints implemented as servlets)

-- 
Thanks,
Tim McConnell

Re: Security Annotations

Posted by Tim McConnell <ti...@gmail.com>.

Thanks for reviewing David, I shall get started on the servlet annotations 
immediately....

David Jencks wrote:
> That looks extremely plausible.
> 
> David Blevins would know for sure but I'm 99% sure that openejb is 
> already handling all the ejb security annotations correctly so geronimo 
> doesn't need to deal with them.  We should handle the servlet annotations.
> 
> thanks
> david jencks
> 
> On Apr 10, 2007, at 3:44 PM, Tim McConnell wrote:
> 
>> Hi, I'm trying to verify that we're properly supporting all the 
>> javax.annotation.security annotations. Based on my "interpretation" of 
>> the pertinent specs, this is what I've found relative to what 
>> application type should support what annotations. If anyone sees 
>> anything obviously wrong with my interpretation(s) please let me know 
>> (especially if I've missed anything obvious). Thanks much
>>
>> EJB security annotations:
>>     @DeclareRoles
>>     @RolesAllowed
>>     @PermitAll
>>     @DenyAll
>>     @RunAs
>>
>> Servlet security annotations
>>     @DeclareRoles
>>     @RunAs         (not exactly sure why, but presumably to propagate 
>> a security context/identity from a Web container to an 
>> EJB                             container and possibly for web service 
>> endpoints implemented as servlets)
>>
>> --Thanks,
>> Tim McConnell
> 
>

Re: Security Annotations

Posted by David Jencks <da...@yahoo.com>.

That looks extremely plausible.

David Blevins would know for sure but I'm 99% sure that openejb is  
already handling all the ejb security annotations correctly so  
geronimo doesn't need to deal with them.  We should handle the  
servlet annotations.

thanks
david jencks

On Apr 10, 2007, at 3:44 PM, Tim McConnell wrote:

> Hi, I'm trying to verify that we're properly supporting all the  
> javax.annotation.security annotations. Based on my "interpretation"  
> of the pertinent specs, this is what I've found relative to what  
> application type should support what annotations. If anyone sees  
> anything obviously wrong with my interpretation(s) please let me  
> know (especially if I've missed anything obvious). Thanks much
>
> EJB security annotations:
> 	@DeclareRoles
> 	@RolesAllowed
> 	@PermitAll
> 	@DenyAll
> 	@RunAs
>
> Servlet security annotations
> 	@DeclareRoles
> 	@RunAs 		(not exactly sure why, but presumably to propagate a  
> security context/identity from a Web container to an EJB 							 
> container and possibly for web service endpoints implemented as  
> servlets)
>
> -- 
> Thanks,
> Tim McConnell