Re: data-dependant access control

Fri, 26 Mar 1999 12:08:10 -0500 

Actually, we expect that many EJB servers will allow the
user principal to be propagated to the database. Either
directly (if both can run within the same principal domain), or
via some principal mapping.

Then you can do data-dependent security checks in your database.

Note that with Entity beans with container-managed persistence,
you can do data-dependent security checks in the data access
code generated by the container tools. The tools would have to
support this option.

Vlada

-----Original Message-----
From: Mike Weiss <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Friday, March 26, 1999 4:03 AM
Subject: data-dependant access control


Hi all,

we've got to find a solution for a running EJB-project.

Here's a short description of the problem:
With Tengah it is possible to restrict access to the naming service, thus
hiding of EJBs (classes) is possible.
Moreover, in the deployment descriptor of each EJB each method access can
be restricted.
Unfortunately, in the mentioned project we have data dependant
restrictions. Some users can read and/or manipulate
more instances than others. Assuming an EntityBean "organization" which
defines a tree - each organization has suborganizations.
Each organization aggregates some Kostenstellen. We want to define a user
(or a user group) to be responsible for a subtree.
No other users should be able to manipulate Kostenstellen of organisations
in this subtree. Kostenstellen can be retrieved directly using a find
method.
With RDBMS, views can be used to solve this kind of problems. This solution
requires that a user is represented as a database user. This is not the
case
with EJB where the EJB container connects as a 'generic' database user.
Another point is that we want to use LDAP/X.500 to define users and user
groups.

Any ideas ?

Greetings,
Mike Wei�

===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST".  For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".

===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST".  For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".

Reply via email to