> I noticed a fairly obscure EJB programming restriction today that I
> didn't know existed since the appserver I use doesn't enforce it:
>
> "An Enterprise bean must not define a class in a package, as this is a
> function reserved for the container for security reasons."
>
> This exists both in EJB1.1 and EJB2.0 spec. I'm not sure about EJB 1.0.
>
> 1) Why is this a security risk?
First of all, just what the heck does it mean?? Does it mean that a bean
may not be put in a package(??), or does it mean (literally) that it may
not *define* a class in a package through a ClassLoader.. or what does
it really mean? What action, precisely, is not allowed?
> 2) Does any appserver out there actually enforce it?
Well, in jBoss we only allow beans to do what the EJB spec says, so I
guess we enforce it (whatever it is).
(And yes, of course it is possible to turn off security checking if you
want to).
> 3) Why hasn't anybody ever complained about this on this list?
I don't think anyone has thought about just what the heck it means.
> 4) If enforced, how do you manage a large scale EJB project?
When you say this it more or less implies that your understanding of the
rule is the former of my definitions, i.e. the *bean may not be in a
package*. Which is.. well.. weird..
Anyone that *knows* what this means? Mark? Linda? Anyone?
/Rickard
--
Rickard �berg
Email: [EMAIL PROTECTED]
http://www.telkel.com
http://www.jboss.org
http://www.dreambean.com
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
