Joel,
I'm noit claiming that the implementation of security should be REMOVED from the EJB level.
I think though, that the EJB container should provide the means for introspection of security
so that clients can implement the right UI. This capability seems to be missing from EJB, or is it?
Regards,
David
-----Original Message-----
From: Joel Crisp [SMTP:[EMAIL PROTECTED]]
Sent: Wed 27 October 1999 10:59
To: [EMAIL PROTECTED]
Subject: Re: Q: EJB security rolse & User Interface
Hi David
One reason why security is implemented at the EJB level is so that other
groups within the same organisation can implement custom clients. You may also
want to have a non-gui client acting as a gateway from a foreign system in which
case you would want to limit the capabilities of the non-gui client to call your
business beans.
You can also re-configure the security on the server very quickly.
There are other reasons but I won't go into them all here.
I agree that end users shouldn't be able to initiate operations which they
don't have access for, but sometimes it is not always possible to determine
this in advance.
Joel Crisp, Senior Java Architect, SUN PS Java Center
> David Gasul wrote:
>
> Hi EJBers,
> An n-tier application has a client, middleware and possibly multiple backends. (This is obvious)
> Assume the client is a GUI client who uses menus. (A common practice)
> Assume there are a number of roles each one assigned certain priveleges. (A common practice)
> Now, if the client invokes a method on a bean whose method she's disallowed to invoke because of her role, the EJB container is supposed to catch this and provide to the client application the proper exception. (This is obvious)
>
> But building a system according to such a concept results IN A VERY BADLY DESIGNED SYSTEM!!!!
> The proper way of doing this, is NOT TO ALLOW the client in the first place to invoke the methods she may not invoke by, for example, disabling those methods in the menus, and to use EJB container security enforcement as the second bastion.
>
> So, it is somehow required to export to the client the methods a user in a role may invoke so that the client can adjust the menus accordingly.
>
> I didn't see any means to this effect. Did anybody else?
> Regards,
> --
> David Gasul phone: +972-3-5388634
>
> Telegate Ltd. office: +972-3-5384600
>
> 7 Haplada St., 60218 Or-Yehuda fax: +972-3-5335877
> Israel http://www.telegate.co.il
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
