Kenneth D. Litwak <[EMAIL PROTECTED]> writes:
> If security is meant to be achieved solely by the container, and mehtods like
>getCallerPrincipl() are not designed forsecurity enforcement, what good are
>they?
They give you different levels of control - I wouldn't say security was
"solely" achieved by the container, it depends on the requirements of
your application how you combine the two.
>Does the container read the secuirty info and by itself decide who gets
>to call amethod?
Yes. The container uses the contents of the <method-permission> entries
in the ejb-jar.xml file to find what roles are permitted to make the
call to a particular bean method, then it checks that the caller is a
member of one of these allowed roles.
The getCallerPrincipal() allows you to enforce more fine-grained
control. As an example, for a typical BankAccount bean, you may have
method-permission entries requiring (say) roles BANK_CUSTOMER or
BANK_MANAGER, and inside your bean's method you may also check using
getCallerPrincipal that if the caller is a BANK_CUSTOMER, that they are
also the owner of this account (so that you could not access my bank
account just because we were customers of the same bank!)
[It can get slightly more complex when a caller may be associated with a
number of different principals, but you get the basic idea.]
>What is the normal way to establish a list of principals and
>roles?
The use of method-permission entries to specify the roles required is
defined in the EJB spec, and hence is the same for each container.
How you actually specify mapping of principals to roles is server
specific.
HTH.
- Jorgen
----------------------------------------------------------------------
| Orbware Ltd http://www.orbware.com/ |
| --- Enterprise technology for the "real world" --- |
| Try the OrCAS EJB server -- Completely free for development use. |
----------------------------------------------------------------------
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
