Richard Monson Haefel wrote:
>I was disappointed to see that instance level authorization is not covered
>in EJB 1.1.
>
>How, for example, does an EJB system allow "Jill Jones" to access account
>records 1, 33, 77, 199 but not any other accounts? What if the list of
>accounts accessible by Jill and other users changes daily?
Mike Porter wrote:
>As you have discovered the EJB spec does not inherently support this type
of
>functionality. However, I can think of a solution that may help you.
>
>The security API that your EJB Container uses to perform security
>authorizations is available to you. You could use the ACL API and code
this
>specific security functionality yourself. Obviously if you do this you
will
>need to have an attribute of the account that would indicate the security
>permissions allowed for this specific Account(s)(#'s 1, 33, 77, 199 in
your
>example). You would then be able to interrogate this attribute and
>determine if the user is a member of a group that can access this type of
>Account.
I support Mike's view that use of the security API is the appropriate
solution to this, because the requirement usually turns out to be more
complex than "this range of PKs".
For example in a loan approval application it may be that Jill can approve
all loan requests but Jack can only approve pending loan requests where
(amount < 100K) OR (amount < 1M AND there is an "r" in the month).
Clearly these conditions are not in the domain of security but are business
rules. So we define an abstract resource called (say) RiskyLoan and we
record in the security system whether Jack and Jill are able to access
RiskyLoan. Our Loan EJB implements the business rules that decide if the
loan is risky and uses the security API to decide whether to proceed with
risky loans. As it's summer in England, only Jill can approve a 500K loan.
Ian McCallion
CICS Business Unit
IBM Hursley
[EMAIL PROTECTED]
Tel: ++44-1962-818065
Fax: ++44-1962-818069
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
