Re: propagating security context from web tier to application tier

Mon, 10 Dec 2001 05:16:36 -0800 

I seem to have the same problem: I'd like to use declarative security, but I
don't think this is possible if the checks we have to do depend on the
attributes of the objects we use.
Suppose we're implementing security for bank accounts. We might have customers,
administrators and so on, but how could I check that customer X has the right to
debit accounts Y and Z in a declarative way?
Any pointers to documents, frameworks, design patterns on programmatic security
to solve this?

---
Peter Verkest





Russell Gold <[EMAIL PROTECTED]> on 10/12/2001 13:37:10

Please respond to Russell Gold <[EMAIL PROTECTED]>

To:   [EMAIL PROTECTED]
cc:    (bcc: Peter Verkest/I/SECUREX)

Subject:  Re: propagating security context from web tier to application tier


At 5:47 PM +0530 12/10/01, Vijay Guda wrote:
>Hi
>
>Thanks for ur advice. But with a statefull session bean, it is not possible
>for me to make this a generic framework for all j2ee-based applications.
>Also this come up with all over-heads that a statefull session bean has.
>
> The reason that iam not using container-managed security is that i require
>to have a role-based security mechanism which is more dynamic and flexible
>than declarative security mechanism.

Container-managed security *is* role-based and is quite flexible.  What kinds of
things do you think you cannot do with container-managed security?  You do
realize that you can ask whether a user is in a particular role at runtime,
don't you?
--
------------------------------------------------------------------------
Russell Gold                     | "... society is tradition and order
[EMAIL PROTECTED]                 | and reverence, not a series of cheap
                                 | bargains between selfish interests."
http://www.httpunit.org          |   - Poul Anderson, "Iron"

===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST".  For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".

===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST".  For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".

Reply via email to