Chuck Zheng wrote:
> Evan,
>
> There are two problems with your suggestion:
>
> 1. It scatters security info all over the place.Should a business
> process change occur, we end up change lots of
> data, which may be used by other applications.
Yes. EJB security is assumed to be set up, per bean, at deployment time. This makes
sense,
because the non-programmatic security in EJB is there to protect the bean itself - so
you
must define the security rules when your create (i.e. deploy) the resource to be
protected.
However setting up data-related security at bean deployment time makes no sense because
deploying the bean is not the same action as creating the data.
> 2. how do you manage a data used by multiple roles?
I believe the solution is for the container to provide a means to access security
information
associated with a resource. This requires a different API, eg:
boolean isCallerAuthorisedToAccess(String resourceName);
Methods of EJBs typically run with container level of priviledge - i.e. whatever the
container is authorised to access the method will be able to access. This is right and
proper
but there will be a few situations where the method needs to do additional data-related
security checking.
> Evan Ireland wrote:
>
> > Chuck,
> >
> > One simple approach is to attach role names to your data rows, and use
> > EJBContext.isCallerInRole(myData.role).
> >
> > Chuck Zheng wrote:
> > >
> > > Greetings,
> > >
> > > J2EE/EJB method-permission declarative security has simplify authorisation
>service.
> > > But it does not address data-related authorisation. This part currently has
> > > to be done by application specific programmatic security and it depends on
>programmer
> > > decipline and code-review to enforce these
> > > security checks are performed correctly.
> > >
> > > Since data-related security authorisation is such a common occurance, I wonder
> > > whether J2EE/EJB can provide some utilty to make it (semi-)automatic? Maybe
> > > JAAS/PAM will help to some extend. I think at least standard API can provide
> > > methods to register custom authorizer object with the J2EE/EJB
> > > framework (declaratively?) and specify the interface for AuthorisationData.
> > > If application can provide a AuthorisationData object at runtime (declarativly
> > > or programmaticly), The framework will run those registered
> > > Authoriser against the AuthorisationData object. Most of the time the Authoriser
> > > only need to say true/false or throw a SecurityException. Therefore I think
> > > this approach is very achievable - after all it is just like those templates
> > > in STL/RogueWave for those who use C++.
Ian McCallion
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
