Unfortunately, I think there are two ways to get fine grained security out
of EJB...
The first is to use some facility specific to the app server. If you look
at some of the security docs, JBoss has some handy interfaces for making
security as fine grained as you want, and it keeps your EJB code clean. But
of course, this is one more thing that you'd have to fix if you needed to
port your app to the next app server, so I generally avoid that route.
The next is to hack up your own in-EJB security checks with
"isCallerInRole", as you mentioned. And of course, you have to put role
refs in your deployment descriptor for each EJB that is going to use
isCallerInRole. This is a mess, but at least it's portable.
Your solution might work if you have a very small, well defined set of
"Document" types.
Mike
----- Original Message -----
From: "Joel Boehland" <[EMAIL PROTECTED]>
To: "JBOSS_USER" <[EMAIL PROTECTED]>
Sent: Tuesday, October 09, 2001 5:12 PM
Subject: [JBoss-user] Fine grained security & JBOSS
> Hi,
> I'm hoping to get some feedback from the JBoss crew on
> how folks are implementing fine-grained security
> access on their application objects. I understand how
> to use JAAS and EJB security to provide coarse grained
> security (For instance, making the call the the
> removeUser() method in a SessionBean be mapped to the
> "admin" role), but I'm wondering how folks are
> implementing security on a per-object basis, or state
> dependent basis. For instance, Let's say you have a
> Document EJB with a content field. You have a method
> editContent(String newContent), that you want to
> restrict to owners/editors of that particular document
> EJB. How are folks implementing security access like
> this?
>
> One way I have thought of, using JBOSS+JAAS would be
> to create a role:
> "DOCUMENT_EDITOR.<document-id>" for every document
> object. So, if a user created a new Document EJB, with
> an id of 456, I would enter a role:
> "DOCUMENT_EDITOR.456" into the roles table and map it
> to that user's Principal object. Then in the Document
> EJB editContent() method I would have:
>
> public void editContent(String newContent){
> long id = getId(); //get the id for this bean
> String requiredRole = "DOCUMENT_EDITOR."+id;
>
> if(ejbContext.isCallerInRole(requiredRole)){
> //allow the edit...
> }
> else{
> //throw some access exception here...
> }
> }
>
>
> What do folks think of this approach? Any other
> ideas/implementations? Are there any standard j2ee
> access-control api's out there that I'm not aware of?
> I'd like to get some feedback on this before I commit
> to an implementation, so if anybody has any other
> ideas, links to docs, etc, I'd appreciate it.
>
>
> Thanks!
> --Joel
>
> __________________________________________________
> Do You Yahoo!?
> Make a great connection at Yahoo! Personals.
> http://personals.yahoo.com
>
> _______________________________________________
> JBoss-user mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/jboss-user
>
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user
