Hi EJBers,
An n-tier application has a client, middleware and possibly multiple backends. (This is obvious)
Assume the client is a GUI client who uses menus. (A common practice)
Assume there are a number of roles each one assigned certain priveleges. (A common practice)
Now, if the client invokes a method on a bean whose method she's disallowed to invoke because of her role, the EJB container is supposed to catch this and provide to the client application the proper exception. (This is obvious)
But building a system according to such a concept results IN A VERY BADLY DESIGNED SYSTEM!!!!
The proper way of doing this, is NOT TO ALLOW the client in the first place to invoke the methods she may not invoke by, for example, disabling those methods in the menus, and to use EJB container security enforcement as the second bastion.
So, it is somehow required to export to the client the methods a user in a role may invoke so that the client can adjust the menus accordingly.
I didn't see any means to this effect. Did anybody else?
Regards,
--
David Gasul phone: +972-3-5388634
Telegate Ltd. office: +972-3-5384600
7 Haplada St., 60218 Or-Yehuda fax: +972-3-5335877
Israel http://www.telegate.co.il
