Hi,
I do not see how you cannot use: isCallerInRole() and
getCallerPrincipal() & method permisions in the EJB 1.1
spec. to accomplish your task.
You can use method permissions for Role Based Access
Control using application specific roles (like Individual,
Supervisor etc.)
Once you are within the AccountSession bean, you can
use isCallerInRole(), getCallerPrincipal() & some other
attributes (such as "AccountType") of the bean to
make a decision on whether or not to allow access to
the business logic.
Harish Prabandham
Java Enterprise Technologies,
Sun Microsystems Inc.
> -----Original Message-----
> From: A mailing list for Enterprise JavaBeans development
> [mailto:[EMAIL PROTECTED]]On Behalf Of Joel Nylund
> Sent: Monday, August 02, 1999 4:33 PM
> To: [EMAIL PROTECTED]
> Subject: ejb & appl security
>
>
> Has anyone written any books or articles on how you can do application
> level security using ejbs?
>
> I have a couple of ejb books, and they are pretty good, but both
> virtually ignore this subject (maybe its too vendor specific at this
> point). Is anyone doing application security at the ejb level. I would
> really like to, but im struggling with some basic stuff.
>
> Java security (at least by the vendor I use) provides users, groups and
> acls. Which is nice for real basic stuff, but I need some more fine
> grained control.
>
> For example, lets say I have a telephone system, and it has users and
> each user has many accounts. I have one level of security I need to
> apply to the user, lets say, individual users can update their own
> information, but not their balance. Wheras supervisors can update
> anyones balance. This is pretty easy to model, I can map my acl to my
> UserSession bean by:
>
> (accessControlEntries
> DEFAULT [individual supervisor]
> "updateInfo(Hashtable)" [individual supervisor]
> "updateBalance(int)" [supervisor]
> ); end accessControlEntries
>
> But, I need to apply some more security to my AccountSession bean based
> on account type. Lets say their are localAccounts, and
> longDistanceAccounts, and cellularAccounts. Now lets say "individual"
> users with localAccounts can get their current bill at any time. But not
> for any other account type. Supervisor users, can get the current bill
> for any account type. So I have an AccountSession bean with the
> getBill() method on it.
>
> This is where I have trouble with the security model. Any ideas of how
> this should be done with ejb security. (please dont focus on the
> business logic, its made up, but trust me there is a case for this
> requirement).
>
> If I wasnt in ejb land, I would create a securityManager type class,
> with a mayI method, that could be flexible to look up multiple
> permissions based upon the request type.
>
> thanks
> Joel
>
> ==================================================================
> =========
> To unsubscribe, send email to [EMAIL PROTECTED] and include
> in the body
> of the message "signoff EJB-INTEREST". For general help, send email to
> [EMAIL PROTECTED] and include in the body of the message "help".
>
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
