Checking the Permission in the EJB Methods

Use

The next step is to make sure that the corresponding permissions are checked when the EJB methods are accessed. For this purpose, you will include the checkPermission()method and the corresponding exception in the saveBooking(), cancelBooking() and viewActiveBookings() methods in the Quick Order Processing Bean.

Prerequisites

The J2EE perspective is displayed in the SAP NetWeaver Developer Studio.

The quick car rental application’s EJB project, J2EE_QuickCarRentalEjb, is displayed in the J2EE Explorer.

Procedure

...

       1.      If it is not already open, open the QuickOrderProcessorBean by selecting it with a double-click.

       2.      Choose the Bean tab page.

       3.      Add the import statements for the permission and exception classes.

import com.sap.engine.examples.ejb.quickcarrental.QuickReservationEjbPermission;
import java.security.AccessControlException;

       4.      Adjust the code for the saveBooking(), cancelBooking() and viewActiveBookings() methods to check the permissions as shown below.

                            a.      Start with the saveBooking() method. Add the checkPermission() statement and exception handling. Check for the car type specified by vehicleTypeId and the action  "create". Because you need the user ID for checking the permission, add these statements after the call for obtaining the user ID.

Method saveBooking()

   public QuickBookingModel saveBooking(

      String vehicleTypeId,

      String dateFromString,

      String dateToString,

      String pickupLocation,

      String dropoffLocation)

      throws QuickCarRentalException {

     

     

      try {

         String username = myContext.getCallerPrincipal().getName();

         IUser user = UMFactory.getUserFactory().getUserByUniqueName(username);

         try {

            user.checkPermission(

               new QuickReservationEjbPermission(vehicleTypeId, "create"));

         } catch (AccessControlException e) {

            e.printStackTrace();

            throw new QuickCarRentalException(

               user.getLastName()

                  + " may not create reservations for " + vehicleTypeId + " car types." );

         }

 

      } catch (UMException e) {

         throw new QuickCarRentalException("Could not get user name. " + e1);

      }

     

...

                            b.      In the method cancelBooking(), add the checkPermission() statement and exception handling. In this method, you have to first obtain the vehicle type ID; the method to use is thegetVehicleId() method. Then check for the car type specified by vehicleTypeId and the action  "cancel". Make sure you nest the try blocks so that the cancel function is performed correctly. See the example below.

Method cancelBooking()

   public String cancelBooking(String bookingId)
      throws QuickCarRentalException {
        
      try {
         String username = myContext.getCallerPrincipal().getName();
         IUser user =
            UMFactory.getUserFactory().getUserByUniqueName(username);


         String vehicleTypeId;
        
        
try {
            QuickBookingLocal booking =     
                  bookingHome.findByPrimaryKey(bookingId);
            vehicleTypeId = booking.getVehicleTypeId();
           
try {
               user.checkPermission(
                 
new QuickReservationEjbPermission(vehicleTypeId,
                       
"cancel"));
               booking.setStatus(Constants.STATUS_CANCELLED); 
            }
catch (AccessControlException e) {
               e.printStackTrace();
              
throw new QuickCarRentalException(
                  user.getLastName()
                     +
" may not cancel reservations for " + vehicleTypeId
                     +
" car types." );
            }


//Comment or remove the following lines of code
//       try {
//          QuickBookingLocal booking =
//                bookingHome.findByPrimaryKey(bookingId);
//          booking.setStatus(Constants.STATUS_CANCELLED);

         } catch (FinderException e) {
            e.printStackTrace();
            throw new QuickCarRentalException(e.getMessage());
         }

     
      } catch (UMException e) {
         throw new QuickCarRentalException("Could not get user name.");
      }


      return bookingId + " cancelled.";
   }

                            c.      In viewActiveBookings(), add the checkPermission() statement and exception handling. Check for all car types and the action  "view".

Method viewActiveBookings()

   public QuickBookingModel[] viewActiveBookings()
      throws QuickCarRentalException {
      ArrayList bookings = new ArrayList();
     
      try {
         String username = myContext.getCallerPrincipal().getName();
         IUser user =
UMFactory.getUserFactory().getUserByUniqueName(username);

         try {
            user.checkPermission(
              
new QuickReservationEjbPermission("*", "view"));
         }
catch (AccessControlException e) {
                     e.printStackTrace();
                     throw new QuickCarRentalException(
                        user.getLastName()
                           +
" may not view reservations." );
         }

  
   } catch (UMException e) {
         throw new QuickCarRentalException("Could not get user name. " +
e);
      }
     
      try {
...

       5.      Save the file.

Result

The EJB will check the permissions for viewing, creating, and canceling reservations when a user attempts to perform these activities.

Next Step:

If you are working with the J2EE-based tutorial, see Rebuilding the Projects and Redeploying the Application.

If you are working with the Web Dynpro tutorial, then you first have to Adjust the Message Handling.