The 1.1 spec seems to address this need as a container provider enhancement.
If you look at section 15.4.3 (Principal Delegation) and section 15.6.4
(Passing principals on EJB calls) they seem to indicate that the Container
provider may provide tools that allow this propagation of different
principals across ejb method invocations. The spec does indicate a minimal
requirement for just propagating the principal of the caller from one bean
to another so I suppose it is up to the container/server vendors to enhance
that capability. Your scenario would require the vendor to provide some
sort of mechanism that will conditionally change the role assignment. It
appears that if a vendor does provide this enchanced principal delegation
mechanism it is also up to the vendor whether that delegation is conditional
or static.
Jon
-----Original Message-----
From: Joel Nylund [mailto:[EMAIL PROTECTED]]
Sent: Friday, August 06, 1999 10:23 AM
To: [EMAIL PROTECTED]
Subject: Re: ejb & appl security
Ok, I Finally read the 1.1. spec (which doesnt help me too much, since I
dont
know of any implementations of it yet), but maybe it can give me some idea
of
how to do it now.
Anyway, my example did a bad job describing what I need. What I really need
is:
the ability for the session bean can change the role of a user in relation
to a
entity bean instance (the account) at runtime based upon an account
attribute.
So for example, user1 is a regular user, but for certain types of accounts,
he
has the role "owner" for others, he may have the role "custodian" (maybe I
pay
my parents phone bill, so I can do some limited operations on their
account).
So for all the operations on that account they need to use the appropriate
role. Other users may have different roles for different accounts (my
parents
have owner role on their account)..
I think I could do this if the ejb security policy allowed me to change
roles
in the server. For example, in my session bean, I could on account
iteraction,
look at the account type, and look at the users current role, and assign
them a
new role for that interaction.
can this be done with either 1.0 or 1.1? or is there a better way to
accomplish
this?
thanks
Joel
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
