>> This also implies that the JAAS must be used -- or some similar container >> specific mechanism -- OR that the EJB object has been deployed to accept >> anonymous clients. If none of this is true, executing methods on >> the EJBObject >> or even obtaining the EJB object reference from the handle should fail. >> > It does not matter whether the failure occurrs while getting the object > reference from the handle or when the client makes a method call. Does it? It would be desirable to prevent the client from obtaining the reference in the first place if it is not authorized to invoke any of the methods from a resource consumption point of view. To go even further, a client could be denied access to a handle if it's not authorized to. But that requires an entire different layer of access control implementation. In the case of EJBs, for instance, the beans have their access control. But access to EJBHome object lookup is controlled separately by JNDI. -Jian =========================================================================== To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff EJB-INTEREST". For general help, send email to [EMAIL PROTECTED] and include in the body of the message "help".
