<vendor> Because of these limitations, in GemStone/J we provide ACL's which can be registered with the name space or particular objects. At run-time your bean methods can check the current principal/identity/role against a ACL permission check. </vendor> > -----Original Message----- > From: Chuck Zheng [SMTP:[EMAIL PROTECTED]] > Sent: Thursday, September 30, 1999 12:21 AM > To: [EMAIL PROTECTED] > Subject: Q: any framework/API for geographically constraint > authorisation > > Hello everyone, > > We all know and love method-permission declarative security in > deployment descriptor. For example: In MortgageApplication's DD, > we can say only BranchManager Role can execute approveMortgage method. > > But if this is a large bank, quite often bank policy forbides manager > of Branch 1 to approve application lodged at Branch 2, A manager > can only approve application lodged in his/her branch. > > I have seen this type of rules in many large enterprise systems. > The effect is that most rules cannot be fully enforced with > method-permission, they need to be further qualified with > programs. This does not go down well with J2EE/EJB's recommendation. > I end up writing proprietory framework to manage them. In doing so, > I found EJBContext.isCallerInRole() is bit too low level. > > Since this is such a common occurence, I am sure lots of other people > have delt with it too. So I wonder any common solution has been > found particular successful. Any thoughts given to these area in > future evolution of EJB/J2EE. > > cheers > chuck > > ========================================================================== > = > To unsubscribe, send email to [EMAIL PROTECTED] and include in the > body > of the message "signoff EJB-INTEREST". For general help, send email to > [EMAIL PROTECTED] and include in the body of the message "help". =========================================================================== To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff EJB-INTEREST". For general help, send email to [EMAIL PROTECTED] and include in the body of the message "help".
