Although you can use UME permissions and check the relevant permissions within the frontend application, it is often better or perhaps necessary to differentiate between the various tasks in the backend. The methods processed with an application may be available to other applications, for example, as a Web service and you may not know what type of application is actually being used to access the business logic.
Therefore, when implementing authorization protection in your application, we recommend implementing the protection as close to the business logic as possible, in this case, in the EJB methods.
To differentiate the tasks by using UME permissions, you will:
1. Create the permission class to use for the EJB permissions.
2. Obtain the user ID from the context.
3. Add the checkPermission()method and corresponding exceptions to each of the methods cancelBooking(), saveBooking(), and viewActiveBookings().