Evan,
There are two problems with your suggestion:
1. It scatters security info all over the place.Should a business
process change occur, we end up change lots of
data, which may be used by other applications.
2. how do you manage a data used by multiple roles?
cheers
chuck
Evan Ireland wrote:
> Chuck,
>
> One simple approach is to attach role names to your data rows, and use
> EJBContext.isCallerInRole(myData.role).
>
> Chuck Zheng wrote:
> >
> > Greetings,
> >
> > J2EE/EJB method-permission declarative security has simplify authorisation service.
> > But it does not address data-related authorisation. This part currently has
> > to be done by application specific programmatic security and it depends on
>programmer
> > decipline and code-review to enforce these
> > security checks are performed correctly.
> >
> > Since data-related security authorisation is such a common occurance, I wonder
> > whether J2EE/EJB can provide some utilty to make it (semi-)automatic? Maybe
> > JAAS/PAM will help to some extend. I think at least standard API can provide
> > methods to register custom authorizer object with the J2EE/EJB
> > framework (declaratively?) and specify the interface for AuthorisationData.
> > If application can provide a AuthorisationData object at runtime (declarativly
> > or programmaticly), The framework will run those registered
> > Authoriser against the AuthorisationData object. Most of the time the Authoriser
> > only need to say true/false or throw a SecurityException. Therefore I think
> > this approach is very achievable - after all it is just like those templates
> > in STL/RogueWave for those who use C++.
> >
> > Any comments?
> >
> > cheers
> > chuck
> >
> > ===========================================================================
> > To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> > of the message "signoff EJB-INTEREST". For general help, send email to
> > [EMAIL PROTECTED] and include in the body of the message "help".
>
> --
> ________________________________________________________________________________
>
> Evan Ireland Sybase EA Server Engineering [EMAIL PROTECTED]
> Wellington - New Zealand +64 4 934-5856
>
> ===========================================================================
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> of the message "signoff EJB-INTEREST". For general help, send email to
> [EMAIL PROTECTED] and include in the body of the message "help".
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
