Hi David
One reason why security is implemented at the EJB level is so that other
groups within the same organisation can implement custom clients. You may also
want to have a non-gui client acting as a gateway from a foreign system in which
case you would want to limit the capabilities of the non-gui client to call your
business beans.
You can also re-configure the security on the server very quickly.
There are other reasons but I won't go into them all here.
I agree that end users shouldn't be able to initiate operations which they
don't have access for, but sometimes it is not always possible to determine
this in advance.
Joel Crisp, Senior Java Architect, SUN PS Java Center
> David Gasul wrote:
>
> Hi EJBers,
> An n-tier application has a client, middleware and possibly multiple backends. (This
>is obvious)
> Assume the client is a GUI client who uses menus. (A common practice)
> Assume there are a number of roles each one assigned certain priveleges. (A common
>practice)
> Now, if the client invokes a method on a bean whose method she's disallowed to
>invoke because of her role, the EJB container is supposed to catch this and provide
>to the client application the proper exception. (This is obvious)
>
> But building a system according to such a concept results IN A VERY BADLY DESIGNED
>SYSTEM!!!!
> The proper way of doing this, is NOT TO ALLOW the client in the first place to
>invoke the methods she may not invoke by, for example, disabling those methods in the
>menus, and to use EJB container security enforcement as the second bastion.
>
> So, it is somehow required to export to the client the methods a user in a role may
>invoke so that the client can adjust the menus accordingly.
>
> I didn't see any means to this effect. Did anybody else?
> Regards,
> --
> David Gasul phone: +972-3-5388634
>
> Telegate Ltd. office: +972-3-5384600
>
> 7 Haplada St., 60218 Or-Yehuda fax: +972-3-5335877
> Israel http://www.telegate.co.il
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
