The long and the short of it is: There will be an infinite number of "application users". (maybe a few less) They will have 1-n roles. Let say 3 . There are a finite number of proxy "EJB access users". As mentioned earlier, derived from the "application user" roles. The method level security for EJB access will be based on the proxy user's roles. So... 3 "application user" roles ... 9 proxy "EJB access users".
"Why not simpler" IS the question. Like configuring a single java.naming.security.principal and java.naming.security.credentials in a single jndi.properties file for a single application. And, managing web application security via web.xml <security-constraint>. DUH! CASE CLOSED. It's not just complicated... it's NOT container managed security... it's NOT configurable ............ what if a user has NO roles? gary... > From: Christopher Schultz <[EMAIL PROTECTED]> > Reply-To: "Tomcat Users List" <[EMAIL PROTECTED]> > Date: Fri, 14 Nov 2003 11:12:33 -0500 > To: Tomcat Users List <[EMAIL PROTECTED]> > Subject: Re: application security gone mad > > Gary, >> First let me say this is not a specific tomcat question, rather, a general >> application security issue that I'd like to get some feedback on. > >> As I type is in, it's making me even MORE nuts! Am I? > > Was there a question in here, somewhere? :) > > No, you're not nuts but trying to follow any logic in this system > certainly has a propensity to drive you mad. > > That seems *way* over complicated. Would you care to enlighten us as to > why the process is so complex? Something like "well, out EJB server > doesn't like anonymous connections, so each person gets their own..." > would help at least me understand why you don't just something simpler. > > -chris > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
