Hi,

What I would like to be able to do is this:
1. Not use JAAS for authorization, only authentication
2. Instead what I would like to do is write my EJB3 interceptor for 
authorization
3. This interceptor would create an MyEJBMethodPermission, and would call the 
Security Manager with it.
4. What would the MyEJBMethodPermission do in its implies()? it would extract 
from the method parameter some information, from there and additional user 
information would infer what is the relevant user's role, and compare this role 
with the role that is needed for the method to execute. 

My questions are these:
1. Can I extend EJBMethodPermission, and still use JAAS for authorization 
somehow?
2. If not, can I disable JAAS authorization and do as I described above?
3. Any other recommended way of getting this effect?

Thanks.

View the original post : 
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4024908#4024908

Reply to the post : 
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4024908
_______________________________________________
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user

Reply via email to