Check Zheng asks:
> I have always wonder why EJB's Application Security Interface has only
>
> public interface EJBContext
> {
> ...
> public getCallerIdentity/Pricipal();
> public isCallerInRole(Identity/Pricipal role);
> ...
> }
>
> Is this sufficient for Security-aware applications? What about if an
> application
> wants to know what are those valid Roles for current caller, e.g. has a
> method:
>
> public getRolesForCaller()
>
> Can any one to comment on this?
The EJB specification writers may have a different answer, but my comment
is that answering that question is a breach of security. In a secure world
you can't ask general questions about a user - you can only ask specific
ones, such as "can this person do X", or "is Y in the Z group". You're
asking the equivalent of "what are the many secret things this user is
capable of doing?"
There's also the matter that your program would have no way of
understanding all possible roles that the security administrator(s) might
have defined for your environment, so the call you're suggesting might
return a bunch of role definitions that mean nothing to you.
Marc San Soucie
GemStone Systems, Inc.
Beaverton, Oregon
[EMAIL PROTECTED]
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
