Another issue that they're looking at in the spec is resource utilization:
How many bean instances will be trying to open the same file? How many
open files will you have? If you go through a resource factory to get your
files, the container can intervene and prevent crashes.
Dan Christopherson (danch)
STR Technical Architect (www.str.com)
On Thu, 18 May 2000, Xiaopong Tran wrote:
> Thanks for the reply.
>
> > Xiaopong Tran wrote:
> > > The EJB specs said that EJBs are not allowed
> > > to access the file system for security issues.
> >
> > Correct. This is an optional feature in jBoss though.
> >
> > (Note: and it is actually spec compliant to not enforce this at all..)
> >
>
> So, whether a container enforces this or not, it's still
> spec compliant?
>
> > > Can someone clarify what security issues are
> > > involved here? It sounds strange to me here
> > > that accessing the file system from an EJB
> > > would cause any security problem, as EJBs
> > > are designed to be run on a the server in
> > > the back end, in a "well-controlled" environment.
> > > It's not like the applet situation where you
> > > don't know what you get.
> >
> > It has less to do with security than portability. If you do file access
> > you are potentially making your beans less portable. If you have to
> > access files through some resource manager, this ensures that your beans
> > are always portable to another server.
> >
> > See, the spec has as its primary goal "If it's an EJB, it IS portable",
> > and these restrictions are a way of enforcing this. No "well, maybe,
> > unless you've done this or that, ..or..". None of that. With EJB, they
> > *ARE* portable, period.
> >
> > Does this answer your query?
> >
>
> Well, portability is a design issue, more or less related
> to the programmer's skill. But security is something else.
>
> If I don't hard-code my system-dependent stuffs (e.g. directory),
> and put it as a variable during the deployment, that's my
> problem and I should not be forbidden from accessing
> that directory. The container should not throw an exception
> on me, right?
>
> Besides, if I develop the beans for my own company's usage
> only, and I know perfectly that they will only be deployed
> on a specific platform only (e.g. Unix, no NT in my server room!),
> I can hardcode whatever I want (not to mean this is desirable),
> that is my decision made consciously.
>
> Anyways, that looks more like a burden that anything
> else.
>
> Thanks for the quick reply.
>
> Xiaopong
>
>
> --
> --------------------------------------------------------------
> To subscribe: [EMAIL PROTECTED]
> To unsubscribe: [EMAIL PROTECTED]
> Problems?: [EMAIL PROTECTED]
>
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Problems?: [EMAIL PROTECTED]
