Hey
Here's a wild one :-)
> David Gasul wrote:
> I'm noit claiming that the implementation of security should be
> REMOVED from the EJB level.
> I think though, that the EJB container should provide the means for
> introspection of security
> so that clients can implement the right UI. This capability seems to
> be missing from EJB, or is it?
I think this makes a lot of sense, especially from a HCI
(HumanComputerInteraction) perspective.
While I don't think this functionality should be added to the EJB spec.,
here's a possible solution:
Make an interface AccessibleEJB (or whatever, can't find a good name
right now):
public interface AccessibleEJB
{
public Enumeration getAllowedPrincipals()
throws RemoteException;
}
Have the remote interface of your EJB that you want to protect extend
this interface.
In your bean, implement this by returning the principals that are
allowed to access the bean. This result could be based on the particular
instance, or it could be the "static" security information from the
EJB-XML file.
In case you want to access the EJB-XML, how do you do that? Well, I
haven't tested this but it could work:
Get an inputstream to the EJB-XML document in your JAR by doing
getClass().getResourceAsInputStream("/META-INF/ejb-jar.xml"). Parse the
XML by using some XML parser into a Document. Now you have two choices:
either traverse and find the info manually by using the DOM API, or
translate the XML document into a JavaBeans structure which represents
the XML doc. As it happens I have a set of JavaBeans that does just that
8-) Strange, eh. Contact me if you're interested in the source/classes.
After that it is simple to get the roles and return them.
As I said, a rather "out there" solution, but I think it could work on
most (all?) EJB implementations. And it would solve the problem rather
nicely.
Comments..?
/Rickard
--
Rickard �berg
@home: +46 13 177937
Email: [EMAIL PROTECTED]
Homepage: http://www-und.ida.liu.se/~ricob684
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
