Bryan Field-Elliot wrote:
>
> Consider the following scenario:
>
> Application - a web-based "message forums" system. Anyone can create a
> new topic, and topic "owners" can set permissions on the topic, such as
> "read/write public", "read-only public", and "read/write by explicit
> invitation only". Also assume that some people can be marked as "topic
> moderators", with the power to edit or destroy other people's messages,
> etc.
>
> Framework - this is a J2EE app, with a JSP/Servlet layer, and an EJB
> layer, and of course a RDBMS layer.
>
> Question -
>
> There are clearly some well-defined security roles within this system,
> like "reader", "writer", "moderator", and "owner". But these flags need
> to exist on a per-topic level. What is the best way to model and
> implement this in J2EE?
<snip>
> Any thoughts on this kind of scenario? Or do I have to throw out J2EE
> security entirely when trying to code security with this kind of situation?
I'm afraid so. Application server security facilities are designed primarily to
control access to methods based on roles determined during application design.
The isCallerInRole() facility is conceived as an extension to this wherein a
method, eg to process a loan, can decide dynamically whether to permit the
operation:
if ((loanAmount < �1000) || (!isCallerInRole(supervisor)){
// approve the loan
}
Your roles are not determined during design, so the J2EE facilities can't be
used.
Ian McCallion
========================================
Ian McCallion
Alexis Systems Limited
Romsey, UK
========================================
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
