Hey
Smita Srivastava wrote:
> I have a few questions about the EJB 1.1 security model:
>
> If no method permissions are defined for a bean, are all roles allowed
> access to all methods for that bean? (equivalent to :
>
> <method-permission>
> < role-name> * </role-name>
> <bean-name> Mybean </beanname>
> <method-name> * </method-name>
> </method-permission>
>
> If the following 2 method permissions are defined on a bean:
>
> role A, wildcard (all methods)
>
> and role B, debit() (only one method),
>
> then, if a user is in roleA, the user can still access the debit()
> method right?
>
> If a user neither in roleA or role B, accesses debit() or credit()
> methods of the bean, this user will be denied access to the bean and all
> of the bean methods, right?
Good call. I think it would be *convenient* if the semantics of no
defined method permissions would be *allow all to call everything*, but
since that semantics change to *only allow what has been defined* as
soon as you add permissions it might not be a good idea.
It might be a better solution to have your particular implementation
have a "Security: ON/OFF" switch instead, which is set by the deployer.
That way the Bean and Assembler can work as if security is on (the
default), but the Deployer has the option of ignoring any such info due
to a) performance b) not relevant in the deployment env. c) container
doesn't support security.
/Rickard
--
Rickard �berg
@home: +46 13 177937
Email: [EMAIL PROTECTED]
Homepage: http://www-und.ida.liu.se/~ricob684
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
