6.3 Protecting Enterprise JavaBeans Resources

Because you can define multiple protected resources for each JavaBean, you can create one policy that protects the module and another policy that protects specific interfaces or methods. For example, you can create two protected resources and two policies for an EJB. The first resource and policy combination grants general access to the EJB to all the users that meet the criteria in the Authorization policy. If the EJB contains areas that only a few users should access, then you create a second protected resource and policy combination that restricts access to these resources to these users. The following sections explain this process:

6.3.1 Creating a Protected Enterprise JavaBean Resource

  1. In the Administration Console, click Devices > J2EE Agents > Edit > Manage authorization policies.

  2. Click New and supply the following information:

    Module File Name: The filename of the EJB. Specify the name of the EJB module you are protecting, including the file extension (.jar for an EJB Module).

    Type: The type of the application. Select EJB Module for an EJB module.

  3. Click OK.

  4. To add a protected resource to the list, click New, specify a display name for the EJB resource, then click OK.

    Configuring a protected Enterprise JavaBean resource
  5. Fill in the following fields:

    EJB Name: The module name to protect. Select [All] to protect all modules.

    Interfaces: The interfaces to protect. Select one or more of the following:

    • Local

    • Local Home

    • Remote

    • Remote Home

    • Web Service

    Method: The method to protect. Select [All] to protect all methods.

    Method Parameters: The parameters of the method to protect.

    • If [All] is specified, the policy is applied to all methods listed in the Method field.

    • If the list is empty, the policy is applied only to the methods that have an empty set of parameters.

    • If the field contains parameter names, the policy is applied only to the methods that have the specified parameters.

  6. Click Configuration Panel > OK.

  7. On the Configuration page, click OK, then click Update > OK.

  8. Continue with Section 6.3.2, Assigning an Enterprise JavaBeans Authorization Policy to a Resource.

    Until you have assigned an Authorization policy to the resource to restrict access to this resource, all authenticated users have access to the resource.

6.3.2 Assigning an Enterprise JavaBeans Authorization Policy to a Resource

The following instructions assume that you have already created your Authorization policy for the Web resource. For general information about Authorization policies, and for information about creating an EJB Authorization policy.

  1. In the Administration Console, click Devices > J2EE Agents > Edit > Manage authorization policies > [Name of EJB Module] > [Name of EJB] > Authorization Policy.

  2. To enable a policy, select a policy in the list, then click Enable.

    If no policies appear in the list, you haven’t created any. Click Manage Policies.

    WARNING:EJBs that are configured to run as a role can only use limited conditions in an EJB Authorization policy. The Current Roles of User and the time conditions can be used in the policy, but the conditions requiring user information cannot be used. This is because the RunAs role subjects do not contain the Liberty profile, LDAP attribute, or LDAP credential information that these conditions require. When unsupported conditions are defined in a policy and that policy is assigned to a RunAs role EJB, the user is denied access to the EJB resource.

  3. Click Configuration Panel > OK.

  4. On the Configuration page, click OK, then click Update > OK.