Re: Multiple Updates and Deletes

Wed, 10 Nov 1999 20:36:01 -0800 

Chuck,

One simple approach is to attach role names to your data rows, and use
EJBContext.isCallerInRole(myData.role).

Chuck Zheng wrote:
>
> Greetings,
>
> J2EE/EJB method-permission declarative security has simplify authorisation service.
>  But it does not address data-related authorisation.  This part currently has
> to be done by application specific programmatic security and it depends on programmer
> decipline and code-review to enforce these
> security checks are performed correctly.
>
> Since data-related security authorisation is such a common occurance,  I wonder
> whether J2EE/EJB can provide some utilty to make it (semi-)automatic? Maybe
> JAAS/PAM will help to some extend.  I think at least standard API can provide
> methods to register custom authorizer object with the J2EE/EJB
> framework (declaratively?) and specify the interface for AuthorisationData.
> If application can provide a AuthorisationData object at runtime (declarativly
> or programmaticly), The framework will run those registered
> Authoriser against the AuthorisationData object.  Most of the time the Authoriser
> only need to say true/false or throw a SecurityException. Therefore I think
> this approach is very achievable - after all it is just list those templates
> in STL/RogueWave for those who use C++.
>
> Any comments?
>
> cheers
> chuck
>
> ===========================================================================
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> of the message "signoff EJB-INTEREST".  For general help, send email to
> [EMAIL PROTECTED] and include in the body of the message "help".

--
________________________________________________________________________________

Evan Ireland              Sybase EA Server Engineering       [EMAIL PROTECTED]
                            Wellington - New Zealand              +64 4 934-5856

===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST".  For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".

Reply via email to