tessl/maven-jakarta-annotation--jakarta-annotation-api
Jakarta Annotations defines a collection of annotations representing common semantic concepts that enable a declarative style of programming that applies across a variety of Java technologies.
—
security-annotations.mddocs/
Security Annotations
Jakarta Security Annotations provide declarative authorization and role-based access control for methods and classes. These annotations enable fine-grained security without programmatic security checks, allowing developers to express security constraints directly in the code.
Capabilities
Role-Based Access Control
Annotations for specifying which security roles can access methods and classes.
@RolesAllowed
Specifies the list of security roles permitted to access method(s) or class. Method-level annotations override class-level annotations when they conflict.
/**
* Specifies security roles permitted to access methods.
* Method-level annotations override class-level when they conflict.
*/
@Target({TYPE, METHOD})
@Retention(RUNTIME)
public @interface RolesAllowed {
/**
* List of security role names that are permitted access.
*/
String[] value();
}Usage Examples:
import jakarta.annotation.security.RolesAllowed;
// Class-level: applies to all methods unless overridden
@RolesAllowed({"user", "admin"})
public class DocumentService {
// Inherits class-level roles: user, admin
public List<Document> getDocuments() {
return documentRepository.findAll();
}
// Method-level override: only admin can access
@RolesAllowed("admin")
public void deleteDocument(String id) {
documentRepository.delete(id);
}
// Multiple roles allowed
@RolesAllowed({"admin", "manager", "supervisor"})
public void approveDocument(String id) {
documentRepository.approve(id);
}
}@DenyAll
Specifies that no security roles are allowed to invoke the specified method(s). Effectively blocks all access to the annotated element.
/**
* Denies access to all security roles.
* No users can access the annotated method(s).
*/
@Target({TYPE, METHOD})
@Retention(RUNTIME)
public @interface DenyAll {
}Usage Examples:
import jakarta.annotation.security.DenyAll;
import jakarta.annotation.security.RolesAllowed;
@RolesAllowed("user")
public class UserService {
// Normal access for users
public User getProfile() {
return currentUser;
}
// Completely blocked - no one can access
@DenyAll
public void dangerousOperation() {
// This method is completely inaccessible
}
// Method-level DenyAll overrides class-level RolesAllowed
@DenyAll
public void maintenanceMethod() {
// Blocked during refactoring/maintenance
}
}@PermitAll
Specifies that all security roles are allowed to invoke the specified method(s). Makes methods "unchecked" - accessible to any authenticated user.
/**
* Permits access to all security roles.
* Makes methods "unchecked" - accessible to any authenticated user.
* Can override @RolesAllowed when applied at method level.
*/
@Target({TYPE, METHOD})
@Retention(RUNTIME)
public @interface PermitAll {
}Usage Examples:
import jakarta.annotation.security.PermitAll;
import jakarta.annotation.security.RolesAllowed;
@RolesAllowed("admin")
public class AdminService {
// Only admin access (inherits from class)
public void manageUsers() {
// Admin-only operation
}
// Override class restriction: anyone can access
@PermitAll
public String getServerStatus() {
return "Server is running";
}
// Public utility method
@PermitAll
public String getVersion() {
return "1.0.0";
}
}
// Class-level PermitAll
@PermitAll
public class PublicService {
// All methods are publicly accessible
public String getInfo() { return "Public info"; }
public List<String> getNews() { return news; }
}Role Declaration and Identity Management
Annotations for declaring security roles and execution identity.
@DeclareRoles
Declares security roles used by the application. Specifies the complete list of security role names that the application recognizes.
/**
* Declares security roles used by the application.
* Specifies the complete list of security role names.
*/
@Target(TYPE)
@Retention(RUNTIME)
public @interface DeclareRoles {
/**
* List of security role names used by the application.
*/
String[] value();
}Usage Examples:
import jakarta.annotation.security.DeclareRoles;
import jakarta.annotation.security.RolesAllowed;
// Declare all roles used in the application
@DeclareRoles({"admin", "manager", "employee", "guest"})
public class CorporateApplication {
@RolesAllowed({"admin", "manager"})
public void accessFinancialData() {
// Management-level access
}
@RolesAllowed("employee")
public void clockIn() {
// Employee functionality
}
}
// Multiple applications can declare different role sets
@DeclareRoles({"customer", "support", "billing"})
public class CustomerPortal {
// Customer-facing application with different roles
}@RunAs
Defines the identity under which the application executes. Allows applications to run under a specific security role that must be mapped to the container's security realm.
Important: The role must map to the user/group information in the container's security realm.
/**
* Defines execution identity for the application.
* Specifies the security role under which the application runs.
*/
@Target(TYPE)
@Retention(RUNTIME)
public @interface RunAs {
/**
* Name of the security role for execution identity.
* Must be mapped to the container's security realm.
*/
String value();
}Usage Examples:
import jakarta.annotation.security.RunAs;
import jakarta.annotation.security.RolesAllowed;
// Service runs with system privileges
@RunAs("system")
public class BackgroundJobService {
// Even though this requires admin role,
// it runs with system identity
@RolesAllowed("admin")
public void performSystemMaintenance() {
// Executes with system privileges
}
public void processScheduledTasks() {
// Runs as system user
}
}
// Data access service with database role
@RunAs("db-reader")
public class ReportingService {
public List<Report> generateReports() {
// Executes database queries with db-reader identity
return reportRepository.findAll();
}
}
// Integration service with external system identity
@RunAs("integration-user")
public class ExternalAPIService {
public void syncWithExternalSystem() {
// Calls external APIs with integration-user credentials
}
}Security Patterns and Best Practices
Hierarchical Security
import jakarta.annotation.security.*;
@DeclareRoles({"admin", "manager", "employee"})
@RolesAllowed("employee") // Base access level
public class ProjectService {
// All employees can view
public List<Project> getProjects() {
return projectRepository.findAll();
}
// Managers and admins can create
@RolesAllowed({"manager", "admin"})
public Project createProject(ProjectData data) {
return projectRepository.save(new Project(data));
}
// Only admins can delete
@RolesAllowed("admin")
public void deleteProject(String id) {
projectRepository.delete(id);
}
// Blocked during maintenance
@DenyAll
public void experimentalFeature() {
// Under development
}
}Mixed Security Approaches
@RolesAllowed("user")
public class HybridService {
// Public health check
@PermitAll
public String healthCheck() {
return "OK";
}
// User-level access (inherits from class)
public UserProfile getProfile() {
return userService.getCurrentUser();
}
// Admin-only operations
@RolesAllowed("admin")
public void resetUserPassword(String userId) {
userService.resetPassword(userId);
}
// Completely blocked
@DenyAll
public void legacyMethod() {
// Deprecated and disabled
}
}Install with Tessl CLI
npx tessl i tessl/maven-jakarta-annotation--jakarta-annotation-api