Hi,
Smita Srivastava wrote:
>
> Hello,
>
> I have a few questions about the EJB 1.1 security model:
>
> If no method permissions are defined for a bean, are all roles allowed
> access to all methods for that bean? (equivalent to :
>
> <method-permission>
> < role-name> * </role-name>
> <bean-name> Mybean </beanname>
> <method-name> * </method-name>
> </method-permission>
>
First of all the element <role-name> does not take a wildcard.
> If the following 2 method permissions are defined on a bean:
>
> role A, wildcard (all methods)
>
> and role B, debit() (only one method),
>
> then, if a user is in roleA, the user can still access the debit()
> method right?
>
A user is allowed access to the method iff user is in atleast one
of the role that is allowed access to the method. (sec. 15.6.9)
So, to answer your question. Yes, the user will be allowed access
to the debit() method.
> If a user neither in roleA or role B, accesses debit() or credit()
> methods of the bean, this user will be denied access to the bean and all
> of the bean methods, right?
>
Yes. The spec. does forbid the access to the methods that do not
have explict method permissions. (sec. 15.3.2)
Harish
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
