Hi jBoss,
Rickard Oberg wrote:
>> KLM> From my brief reading of JAAS, it doesn't sound flexible in this
RO> regard.
>> KLM> That is, the protected asset for me is data, not code, whereas JAAS
>> KLM> protects code. Am I understanding this correctly?
>> Actually in this case the EJB security model plays role rather than JAAS.
>> I guess, in general JAAS Credentials may contain any security related
>> info, for example, they might hold information about data access
>> rights for the given Subject. But this idea cannot be used with EJB
>> server, because unfortunately Subject is not accessible from beans.
RO> It isn't? What about Subject.getSubject() then?
Subject.getSubject() would work if the container executed bean methods
through Subject.doAs().
And, of course, Dan is right as to code portability and the difference
between JAAS and EJB authorization approaches.
I can just dream about their convergence and getCallerSubject() method
for beans in addition to getCallerPrincipal().
That would enable bean developers to use EJB security mechanisms for
delicate permission control.
Best regards,
Oleg
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Problems?: [EMAIL PROTECTED]
