[REPOST, I should know better than to post on a weekend. Don't you folks do
Java 24/7/365? :-)]
Hey Folks,
I'm making a J2EE content management application on top f a database. The
app works without EJB already. EJB is an "extra" we'd like to have.
The app allows access to content to be controlled by setting custom ACLs on
any content in the system. The ACLs are stored in the database, but reflect
user data in an LDAP server. In other words, the database knows "joe" has
"read" access to index.html and "sue" (who a member of the "Publishers" LDAP
group) has "publish" access on "file.xml". Note that I need the entire list
of groups the user is in, since any one group can allow access to a
particular piece of content at any one time, and I can't assume a hierarchy
of groups.
Currently (non-EJB), when a user logs into the app, the app looks up their
groups and the groups are checked against ACLs when the user accesses
content in the database. This lookup is done once on login and the groups
are kept with a "MyAppContext" object.
I'm not sure of the best way to implement this in EJB (or even a good way).
If my reading of the J2EE and EJB specs is correct, I can't get the groups
of the user inside a session bean, correct? Isn't this a big hole in the
spec?
If I have no way to get the user's groups, then I've thought of 3 ways to do
this:
A) I can still use the "MyAppContext" object as a regular Java class and
pass it to every call of my stateless session beans.
This is OK, but smells bad. Passing the same ref over and over?
There's got to be a better way.
B) I can not use stateless session beans and use stateful session beans
instead. The parameter gets passed once (on construction). This is bad too
since stateful beans perform less well, and it would cause additional remote
calls due to the structure of our API.
C) I can just get the Principle on each call to a stateless session bean and
lookup the groups with a JNDI lookup. The JNDI lookup could be a big
performance hit. I could cache the groups in the JNDILookup bean, but I'm
not sure how to define when the cache is stale (for all users of our
product), or if I should at all.
Thoughts anyone?
One more question:
I'm still not clear on how a java.security.acl.Group which
derives from Principle) relates to an EJB server. If I authenticated
against an LDAP server and the user was in LDAP groups, might the caller's
Principal actually be a Group of many Principals?
Thanks!
Michael
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
