Greetings,
J2EE/EJB method-permission declarative security has simplify authorisation service.
But it does not address data-related authorisation. This part currently has
to be done by application specific programmatic security and it depends on programmer
decipline and code-review to enforce these
security checks are performed correctly.
Since data-related security authorisation is such a common occurance, I wonder
whether J2EE/EJB can provide some utilty to make it (semi-)automatic? Maybe
JAAS/PAM will help to some extend. I think at least standard API can provide
methods to register custom authorizer object with the J2EE/EJB
framework (declaratively?) and specify the interface for AuthorisationData.
If application can provide a AuthorisationData object at runtime (declarativly
or programmaticly), The framework will run those registered
Authoriser against the AuthorisationData object. Most of the time the Authoriser
only need to say true/false or throw a SecurityException. Therefore I think
this approach is very achievable - after all it is just list those templates
in STL/RogueWave for those who use C++.
Any comments?
cheers
chuck
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
