I'm concerned about my entity beans being exported to the client. I want my client to talk to my app through session beans only, but I can't find a portable way to prevent a client from doing a JNDI lookup on an entity bean, and then calling any ol' method it likes. I know of at least one vendor that allows you to do this, but I doubt very much that it's a portable technique. I just searched the EJB 1.1 spec in the deployment descriptor section for this kind of reference, but I can't find any. I guess one way to enforce this security would be to make all entity bean methods as executable only by a special "session bean" or "system" user and enforce this through the EJB security role mechanism. Then I would need a some technique for promoting a regular user to the "system user" when a session bean calls an entity bean method, but I don't know of a portable way to do this either. any suggestions or comments appreciated. cheers, david -- David Sims [EMAIL PROTECTED] Sims Computing, Inc. www.simscomputing.com =========================================================================== To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff EJB-INTEREST". For general help, send email to [EMAIL PROTECTED] and include in the body of the message "help".
