Consider the following scenario: Application - a web-based "message forums" system. Anyone can create a new topic, and topic "owners" can set permissions on the topic, such as "read/write public", "read-only public", and "read/write by explicit invitation only". Also assume that some people can be marked as "topic moderators", with the power to edit or destroy other people's messages, etc. Framework - this is a J2EE app, with a JSP/Servlet layer, and an EJB layer, and of course a RDBMS layer. Question - There are clearly some well-defined security roles within this system, like "reader", "writer", "moderator", and "owner". But these flags need to exist on a per-topic level. What is the best way to model and implement this in J2EE? Do I make roles for each of these categories and for each topic, like: reader-topic-1 writer-topic-1 moderator-topic-1 owner-topic-1 reader-topic-33 writer-topic-33 moderator-topic-33 owner-topic-33 Declarative security doesn't seem to be a very usable option in this environment; for example, I might have a stateful session bean to manage topics, with a method called "deleteMessage". But it needs to check not only whether the current user has the "moderator" role, but the appropriate "moderator" role for the given topic. Lastly of course, this all needs to be dynamic -- I can't go updating my deployment descriptor each time a new topic is added or removed, for example. Any thoughts on this kind of scenario? Or do I have to throw out J2EE security entirely when trying to code security with this kind of situation? Thank you, Bryan =========================================================================== To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff EJB-INTEREST". For general help, send email to [EMAIL PROTECTED] and include in the body of the message "help".
