> I'm still unsure how one would implement security in respect of entity > "ownership". Assume I have an entity, e.g. an Appointment in a Schedule > and want to grant read and write permissions to certain roles or users. > How would I implement this logic. One solution that comes to my mind is > à la "if (entity.canRead(getCallerPrincipal())" and manage the Users / > Principals with a custom jboss security adapter which works on top of > the application's user model. > Is there any standard / existing jboss security adapter which works on > top of a simple ejb user + role model? > > -billy.
The most natural solution in my mind is to use Java2 style permission. Permission p = new DocumentPermission(docName, "read"); AccessController.checkPermission(p); When coupled with JAAS subject based permissions this provides an elegant solution. There is an example of using this type of custom permissions for a JNDI model that checks for permissions like your are talking about. I have not had time to document this so you'll have to just try to wade through the code which is made up of these classes: org.jboss.test.security.ejb.project.ProjRepositoryBean org.jboss.test.security.proxy.ProjRepositorySecurityProxy2 org.jboss.test.security.test.NamespacePermission xxxxxxxxxxxxxxxxxxxxxxxx Scott Stark Chief Technology Officer JBoss Group, LLC xxxxxxxxxxxxxxxxxxxxxxxx ----- Original Message ----- From: "Philipp Meier" <[EMAIL PROTECTED]> To: "JBOSS_USER" <[EMAIL PROTECTED]> Sent: Wednesday, October 10, 2001 7:34 AM Subject: Re: [JBoss-user] Fine grained security & JBOSS _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user