EJB specifies declarative attributes for security authorization. Once a user has been authenticated (logged in), access to enterprise beans can be monitored and controlled. The declarative authorization attributes allow the container to control which users can access which methods on specific bean types. In EJB 1.0, individual methods on a bean are associated with Identity objects that represent individual users or groups of users called roles. Only users that are associated with the correct Identity objects can access the bean’s methods. Using this approach, bean methods can be mapped to a set of identities in the serializable deployment descriptor.

When a bean method is invoked at runtime, the container examines the Identity of the caller and compares it to the list of Identity objects associated with that method. If the caller’s identity matches or is a member of one of the identities associated with the method, the method can be invoked. Although this authentication model works well—it allows fine-grained functional authentication without requiring any code in the bean itself—it also has some problems. In an operational environment that supports ACL-based security, all the identities and roles in an enterprise are part of the operational environment. To choose Identity objects to associate with bean methods, you must have access to the ACL repository of the environment that the bean will be deployed in. For this reason, it is normally assumed that the deployer in EJB ...