I am writing a WEB application. Using J2EE security, I can secure application from un-authorized users making certain API calls. Using J2EE security I can use WEB FORM authentication to log user into my application once the user is logged on, there are additional "application" level security constraints which must be honored.
For example, user is not able to modify another user's account. Where is the best place to put this security check: 1) Web JSP side (on the JSP page) 2) EJB Stateless Session side (facade) (to which the WEB/JSP talks) 3) EJB Entity Bean side (which are the last stop) I am thinking that EJB Stateless Session side is the one where the "user should not modify other user's account" check should be done since it is at this point that I have a complete use case. The EJB Entity beans, are basically unprotected. So all of the "application" security is implemented on the Stateless Session side. Can anyone comment on implementing "application" security in J2EE. If this has been documented somewhere, a link will suffice. Thanks. -AP_ www: http://www.alexparansky.com =========================================================================== To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff EJB-INTEREST". For general help, send email to [EMAIL PROTECTED] and include in the body of the message "help".
