Hi Alexander,
I cannot point out links that you seek for, but I have one thought on
this topic.
You may have your own Principal implementation (of course, for that
you should implement your own server LoginModule).
The Principal implementation can contain additional data and methods
used for authorization. I mean that your code could look like
public void saveAccount()
{
MyPrincipal principal;
...
principal = (MyPrincipal) _context.getCallerPrincipal()
..
principal.isAccountWriteable(thisAccount's ID);
...
}
I am not saying that this approach is good or recommended by
EJB authorities, and I doubt if it is portable,
but it is the best one that I can think out.
Regards,
Oleg
Alexander Klyubin wrote:
> Hi!
> Beans usually have custom security business requirements -- not only purely
> role-based ones.
> A simple example is that only the owner of account can modify it (Admin
> also).
> Can anyone offer a good solution or at least the direction where I should go
> in order to externalize there security business rules to some extent. My
> goal is:
> * Each role has a set of permissions assigned to it.
> * Role-Permissions assignments can be modified at runtime by Administrator
> role
> * Security checks inside beans' methods are based on permissions associated
> with caller's Principal
> I would like to have my business methods look like this:
> AccountBean.java ...
> public void saveAccount()
> {
> ...
> principal = getCallerPrincipal()
> ..
> Security.isAccountWriteable(principal, roleListTakenFromContext,
> thisAccount's ID or whatever information needed);
> ...
> }
> Link to good resources and books appreciated.
> Alexander Klyubin
> --
> --------------------------------------------------------------
> To subscribe: [EMAIL PROTECTED]
> To unsubscribe: [EMAIL PROTECTED]
> List Help?: [EMAIL PROTECTED]
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
List Help?: [EMAIL PROTECTED]
