On Thursday 18 January 2001 01:18, Cook, Thomas wrote:
> > That's portable wherever there's JAAS, isn't it?
Wherever JAAS is user in the same way as in JBoss :-)
I mean the use of server LoginModules on server - do you now other
EJB servers using this way?
Actually, the question is not "Does EJB server use JAAS?",
but "Does EJB server allow to use custom Principal implementation?".
Oleg
>
> Tom Cook
> Systems Development
> Australian Submarine Corporation
> Mersey Road
> Outer Harbour
>
> +61 8 8348 7645
>
> "From the instant I picked your book up, until the moment I put it
> down, I was convulsed with laughter. I fully intend to read it one
> day." - Groucho Marx
>
> > -----Original Message-----
> > From: Oleg Nitz [SMTP:[EMAIL PROTECTED]]
> > Sent: Thursday, January 18, 2001 3:49 AM
> > To: jBoss
> > Subject: Re: [jBoss-User] Externalizing security settings
> >
> > Hi Alexander,
> >
> > I cannot point out links that you seek for, but I have one
> > thought on this topic.
> > You may have your own Principal implementation (of course, for
> > that you should implement your own server LoginModule).
> > The Principal implementation can contain additional data and
> > methods used for authorization. I mean that your code could look
> > like
> >
> > public void saveAccount()
> > {
> > MyPrincipal principal;
> > ...
> > principal = (MyPrincipal) _context.getCallerPrincipal()
> > ..
> > principal.isAccountWriteable(thisAccount's ID);
> > ...
> > }
> >
> > I am not saying that this approach is good or recommended by
> > EJB authorities, and I doubt if it is portable,
> > but it is the best one that I can think out.
> >
> > Regards,
> > Oleg
> >
> > Alexander Klyubin wrote:
> > > Hi!
> > >
> > > Beans usually have custom security business requirements -- not
> > > only
> >
> > purely
> >
> > > role-based ones.
> > > A simple example is that only the owner of account can modify
> > > it (Admin also).
> > >
> > > Can anyone offer a good solution or at least the direction
> > > where I
> >
> > should go
> >
> > > in order to externalize there security business rules to some
> > > extent. My goal is:
> > > * Each role has a set of permissions assigned to it.
> > > * Role-Permissions assignments can be modified at runtime by
> >
> > Administrator
> >
> > > role
> > > * Security checks inside beans' methods are based on
> > > permissions
> >
> > associated
> >
> > > with caller's Principal
> > >
> > > I would like to have my business methods look like this:
> > >
> > > AccountBean.java ...
> > > public void saveAccount()
> > > {
> > > ...
> > >
> > > principal = getCallerPrincipal()
> > > ..
> > > Security.isAccountWriteable(principal,
> > > roleListTakenFromContext, thisAccount's ID or whatever
> > > information needed);
> > > ...
> > > }
> > >
> > > Link to good resources and books appreciated.
> > >
> > > Alexander Klyubin
> > >
> > >
> > >
> > > --
> > > --------------------------------------------------------------
> > > To subscribe: [EMAIL PROTECTED]
> > > To unsubscribe: [EMAIL PROTECTED]
> > > List Help?: [EMAIL PROTECTED]
> >
> > --
> > --------------------------------------------------------------
> > To subscribe: [EMAIL PROTECTED]
> > To unsubscribe: [EMAIL PROTECTED]
> > List Help?: [EMAIL PROTECTED]
----------------------------------------
Content-Type: text/html; name="Attachment: 1"
Content-Transfer-Encoding: quoted-printable
Content-Description:
----------------------------------------
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
List Help?: [EMAIL PROTECTED]
