How to setup access control in an EJB such that different application clients have different rights to invoke different methods in one EJB?

Shaun Childers

To set up EJB access control you should do the following:

1) Set up the different users/groups and the methods each can have access to in your deployment descriptor. Note: You don't have to specify different methods for each user, you could also just specify different users to your entire bean - for example if you only wanted another component of your application talking to your bean.

2) Inside your client code, whenever you make your connection to the EJB server (to look up the bean) you need to specify the user and password, in order to set the Identity of the client:

Properties p = new Properties();
p.put(Context.SECURITY_PRINCIPAL, "user");
p.put(Context.SECURITY_CREDENTIALS, "password");

3) Inside your bean, you can do "extra" security checks (if you used 'Role'-based security): (Assuming you have a 'manager' role defined in your deployment descriptor and a user assigned to this role)

public int getAccountBalance(accountId) {
   if (ejbContext.isCallerInRole("manager"))
      return balance;
You could also enforce security to your EJB server. Using Weblogic, you could add the following to your weblogic.properties file:
where "user" is the username you grant access for and "password" (after '=') is the password for this username.

Much more detailed information on this topic can be found by reading the SUN specification of EJB at: http://www.java.sun.com/products/ejb/docs.html