Hi!
roman seidl wrote:
> R�> JAAS allows us to authenticate the caller. This information can then be
> R�> used to implement the security as defined in the EJB spec.
> So i could use JAAS to set a rule for a user depending on the obejct
> the rule is applied to?
> Or is it for authentification only?
JAAS is for authentication. Authorization is done through the EJB-JAR
XML descriptor.
> I�d really need a security system that allows granting rights on an
> instance level. If there is any ideas on how to implemt it id really
> like to get to know them.
Portable: do this in the bean by using info from
EntityContext.getCallerPrincipal(). Of course you would want to factor
this functionality out from your normal bean logic. I.e. layer your
Entity.
Non-portable: implement it as a jBoss-interceptor. Look at
org.jboss.ejb.plugins.SecurityInterceptor and do something similar but
with instance-level authorization. This gives you complete control and
no need to change beans.
/Rickard
--
Rickard �berg
@home: +46 13 177937
Email: [EMAIL PROTECTED]
http://www.telkel.com
http://www.jboss.org
http://www.dreambean.com
