Add Java EE Security Roles dynamically without using deployment descriptor

Question

I'm developing a Java EE 6 application using Glassfish 3.1, B06. To secure my app, i'm using a JDBCRealm and programmatic security. This works fine to check username and password. But when it comes to declaring security roles, i have a problem:

To use Security Roles in Java EE 6, i have to declare those roles both in the EJB deployment descriptor and in the Glassfish-specific deployment descriptor to link those roles (as explained in the Java EE 6-tutorial) Only than i can use the method isCallerInRole(String roleRef) inside an EJB to check permissions.

This is not desirable for my application, as i want that its possible to add Security roles both dynamically and programmatically, without having to write XML files (and for example make it possible to define role names in a database).

I just debugged through the GF3-source code and saw the implementation of isCallerInRole in com.sun.ejb.containers.EjbContextImpl. There the container gets the roles out of the EJB descriptor:

public boolean isCallerInRole(String roleRef) {
  (...)
  EjbDescriptor ejbd = container.getEjbDescriptor();
  RoleReference rr = ejbd.getRoleReferenceByName(roleRef);
  (...)
}

I looked around and found out that if i could somehow get the EJB descriptor inside my application, i could add a role like this:

EjbDescriptor ejbd = //??? Can i use that descriptor inside my app, or is that "forbidden"?
RoleReference rr = new RoleReference("admin", "Admins are allowed to do everything");
ejbd.addRoleReference(rr);

Anyone did something like this, or got some thoughts about it? Is it possible to use the Ejb deployment descriptor inside my application? Or are there better approaches?

P.S. or should i use MBeans to add Roles? Found a quite related post here.

Answer 1

The Javadoc does mention this requirement explicitly:

   /**
    * Tests if the caller has a given role.
    *
    * @param roleName - The name of the security role. The role must be one of the security roles that
    * is defined in the deployment descriptor.
    * @return True if the caller has the specified role.
    */
   public boolean isCallerInRole(String roleName);

However, I found that at least with JBoss AS it's not required at all to declare those roles in advance. In our case, the principal roles are dynamically created in the system and assigned when the authentication takes place. It thus impossible to declare those upfront.

Yet, the isCallerInRole method works perfectly well.

I realize switching to JBoss AS is not a solution, but maybe this information is valuable to someone anyway.