Really ?
Wow and ouch, I thought it worked like this:
1/ get initial context, sets up caller principle.
2/ lookup bean.
3/ try and invoke a method, app server checks caller principle for
permission.
If it works like this, then passing around a reference isn't a problem as it
will use your permissions, not any associated with the reference.
If this isn't how it works then the only way I can see what you describe as
being a problem is if the caller principle information is associated with
the object reference (sheer madness!).
Anyone, assuming you're right ;-), how do I "log-on" to the app server ?
-----Original Message-----
From: Rickard �berg [mailto:[EMAIL PROTECTED]]
Sent: 05 December 2000 14:50
To: jBoss
Subject: Re: [jBoss-User] Security
Hi!
"Kenworthy, Edward" wrote:
> RO> Which is Bad(tm). As Toby said, unlearn that practice ;-)
>
> Eh? How can it be bad ? The spec is just a blank - it doesn't say how to
do
> it, it's app server specific. What's Bad(tm) is that it's not in the spec
> :-)
There has been lots of discussions about this on EJB-INTEREST, so see
archives.java.sun.com for details. The main problem is what happens if
one Handle-ifies a reference, and hand it over to someone else? Then
that other user will be authenticated as the first one if JNDI security
is used. Which is bad.
It's just a hack to use JNDI, and it was certainly not intended to be
done that way. JNDI security is for looking up values in a namespace,
nothing more.
/Rickard
--
Rickard �berg
Email: [EMAIL PROTECTED]
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Problems?: [EMAIL PROTECTED]
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Problems?: [EMAIL PROTECTED]
