2007-09-12

EJB3 security annotations

So with EJB3 declarative security annotations I can do things like this:

@DeclareRoles("ADMIN", "USER")
public class Frobnicator {
@RolesAllowed("ADMIN","USER")
public boolean checkFrobnication() { ... }

@RolesAllowed("ADMIN")
public boolean fullyFrobnicate() { ... }
}



Which will allow me to lift the Frobnicator bean out and drop it into a JUnit tests as a POJO. The POJO can then call the methods in Frobnicator without authentication. This helps doing unit tests and getting higher code coverage. But... isn't the authentication part of what I've written? Isn't that something that needs testing?

So my predicament is how do I provide automated acceptance testing for all the permutations of roles in the system?