Hey Folks,
I'm making a J2EE content management application on top of a database. The
app works without EJB already. EJB is an "extra" we'd like to have.
The app allows access to content to be controlled by setting custom ACLs on
any content in the system. The ACLs are stored in the database, but reflect
user data in an LDAP server. In other words, the database knows "joe" has
"read" access to index.html and "sue" (who a member of the "Publishers" LDAP
group) has "publish" access on "file.xml". Note that I need the entire list
of groups the user is in, since any one group can allow access to a
particular piece of content at any one time, and I can't assume a hierarchy
of groups.
Currently (non-EJB), when a user logs into the app, the app looks up their
groups and the groups are checked against ACLs when the user accesses
content in the database. This lookup is done once on login and the groups
are kept with a "MyAppContext" object.
I'm not sure of the best way to implement this in EJB (or even a good way).
If my reading of the J2EE and EJB specs is correct, I can't get the groups
of the user inside a session bean, correct? Isn't this a big hole in the
spec?
If I have no way to get the user's groups, then I've thought of 3 ways to do
this:
A) I can still use the "MyAppContext" object as a regular Java class and
pass it to every call of my stateless session beans. This is OK, but smells
bad. Passing the same ref over and over? There's got to be a better way.
B) I can not use stateless session beans and use stateful session beans
instead. The parameter gets passed once (on construction). This is bad too
since stateful beans perform less well, and it would cause additional remote
calls due to the structure of our API.
C) I can just get the Principle on each call to a stateless session bean and
lookup the groups with a JNDI lookup. The JNDI lookup could be a big
performance hit. I could cache the users in the JNDILookup bean, but I'm
not sure how to define when the cache is stale, or if I should at all.
Thoughts anyone?
One more question:
I'm still not clear on how a java.security.acl.Group (which derives from
Principle) relates to an EJB server. If I authenticated against an LDAP
server and the user was in LDAP groups, might the caller's Principal
actually be a Group of many Principals?
I also still don't get what determines what role a user is in when, any
pointers on that would be appreciated.
Thanks!
Michael
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
