EJB 1.1 provides the isCallerInRole method for use in an EJB that needs
to implement access control based on a combination of role and data
criteria.
Joel Nylund wrote:
>
> Has anyone written any books or articles on how you can do application
> level security using ejbs?
>
> I have a couple of ejb books, and they are pretty good, but both
> virtually ignore this subject (maybe its too vendor specific at this
> point). Is anyone doing application security at the ejb level. I would
> really like to, but im struggling with some basic stuff.
>
> Java security (at least by the vendor I use) provides users, groups and
> acls. Which is nice for real basic stuff, but I need some more fine
> grained control.
>
> For example, lets say I have a telephone system, and it has users and
> each user has many accounts. I have one level of security I need to
> apply to the user, lets say, individual users can update their own
> information, but not their balance. Wheras supervisors can update
> anyones balance. This is pretty easy to model, I can map my acl to my
> UserSession bean by:
>
> (accessControlEntries
> DEFAULT [individual supervisor]
> "updateInfo(Hashtable)" [individual supervisor]
> "updateBalance(int)" [supervisor]
> ); end accessControlEntries
>
> But, I need to apply some more security to my AccountSession bean based
> on account type. Lets say their are localAccounts, and
> longDistanceAccounts, and cellularAccounts. Now lets say "individual"
> users with localAccounts can get their current bill at any time. But not
> for any other account type. Supervisor users, can get the current bill
> for any account type. So I have an AccountSession bean with the
> getBill() method on it.
>
> This is where I have trouble with the security model. Any ideas of how
> this should be done with ejb security. (please dont focus on the
> business logic, its made up, but trust me there is a case for this
> requirement).
>
> If I wasnt in ejb land, I would create a securityManager type class,
> with a mayI method, that could be flexible to look up multiple
> permissions based upon the request type.
>
> thanks
> Joel
>
> ===========================================================================
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> of the message "signoff EJB-INTEREST". For general help, send email to
> [EMAIL PROTECTED] and include in the body of the message "help".
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
