Re: data-dependant access control

Fri, 26 Mar 1999 07:57:01 -0500 

Tengah might have own way of doing it. But if you want
to stick to the spec use EJBContext.getCallerIdentity().
This method is intended to solve such kinds of problems.
You need to have field in your bean that specify group and
during all calls check current user against group.

But this method will likely be deprecated in the
next spec revision. (will be available next few days
if JavaSoft will meet the schedule). Next spec revision
may contain better way of doing such kind of things.

Constantine

Mike Weiss wrote:
>
> Hi all,
>
> we've got to find a solution for a running EJB-project.
>
> Here's a short description of the problem:
> With Tengah it is possible to restrict access to the naming service, thus
> hiding of EJBs (classes) is possible.
> Moreover, in the deployment descriptor of each EJB each method access can
> be restricted.
> Unfortunately, in the mentioned project we have data dependant
> restrictions. Some users can read and/or manipulate
> more instances than others. Assuming an EntityBean "organization" which
> defines a tree - each organization has suborganizations.
> Each organization aggregates some Kostenstellen. We want to define a user
> (or a user group) to be responsible for a subtree.
> No other users should be able to manipulate Kostenstellen of organisations
> in this subtree. Kostenstellen can be retrieved directly using a find
> method.
> With RDBMS, views can be used to solve this kind of problems. This solution
>  requires that a user is represented as a database user. This is not the
> case
> with EJB where the EJB container connects as a 'generic' database user.
> Another point is that we want to use LDAP/X.500 to define users and user
> groups.
>
> Any ideas ?
>
> Greetings,
> Mike Wei�
>
> ===========================================================================
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> of the message "signoff EJB-INTEREST".  For general help, send email to
> [EMAIL PROTECTED] and include in the body of the message "help".

===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST".  For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".

Reply via email to