Has anyone written any books or articles on how you can do application
level security using ejbs?
I have a couple of ejb books, and they are pretty good, but both
virtually ignore this subject (maybe its too vendor specific at this
point). Is anyone doing application security at the ejb level. I would
really like to, but im struggling with some basic stuff.
Java security (at least by the vendor I use) provides users, groups and
acls. Which is nice for real basic stuff, but I need some more fine
grained control.
For example, lets say I have a telephone system, and it has users and
each user has many accounts. I have one level of security I need to
apply to the user, lets say, individual users can update their own
information, but not their balance. Wheras supervisors can update
anyones balance. This is pretty easy to model, I can map my acl to my
UserSession bean by:
(accessControlEntries
DEFAULT [individual supervisor]
"updateInfo(Hashtable)" [individual supervisor]
"updateBalance(int)" [supervisor]
); end accessControlEntries
But, I need to apply some more security to my AccountSession bean based
on account type. Lets say their are localAccounts, and
longDistanceAccounts, and cellularAccounts. Now lets say "individual"
users with localAccounts can get their current bill at any time. But not
for any other account type. Supervisor users, can get the current bill
for any account type. So I have an AccountSession bean with the
getBill() method on it.
This is where I have trouble with the security model. Any ideas of how
this should be done with ejb security. (please dont focus on the
business logic, its made up, but trust me there is a case for this
requirement).
If I wasnt in ejb land, I would create a securityManager type class,
with a mayI method, that could be flexible to look up multiple
permissions based upon the request type.
thanks
Joel
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
