Re: newbie question regarding EJB security

Mon, 07 May 2001 22:02:47 -0700 

Actually, you might want to consider an even more important question:

In most application servers, the connections to a database are cached.
Since the cache is set up in advance, it uses a common username and password
which is shared by the entire server.  The database, therefore, in most
cases will not know which particular user it is working with at any one
time.

Now, not to scare you off, but if you think about it this will make sense.
Since the application server is now in direct contact with the user, the app
server is responsible for security to the data.  The database only knows
that it is talking to the applictaion server, and so it's security should
center around what the application server can and cannot use.

With this example, the findByPrimaryKey method can be coded to not return a
valid code if the user is now allowed to see the data.



Jonathan Baker




Chris C wrote:
>
> Hi Folks,
>
> I got a security question regarding EJB as follows:
>
> ===========
> Environment
> ===========
> Let's say I have a table with two records as follows:
> 1. record "A" (owned by user "A") and
> 2. record "B" (owned by user "B")
>
> In addition,
> 1. database view is already setup for this table, so that user can only
> access his/her own record(s).
> 2. entity bean is created for the table.
>
> ========
> Question
> ========
> 1. if user "A" access record "A" via entity bean, does it mean the instance
> of record "A" would be created in EJB container?
> 2. is it possible for user "B" to access instance of record "A" via
> findByPrimaryKey? if yes, how can row level security be implemented?
>
> Thanks in advance !!
>
> P.S.
> I'm new to EJB, please be patient!
>
> Chris
>
> ===========================================================================
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> of the message "signoff EJB-INTEREST".  For general help, send email to
> [EMAIL PROTECTED] and include in the body of the message "help".

--
Jonathan Baker

Senior Architect
eBusiness Division
Sybase, Inc.

[EMAIL PROTECTED]
+1 510 922 0460

===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST".  For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".

Reply via email to