The way we're handling it is by using the username (obtained via
getCallerPrincipal) as part of the DB query. That way if it isn't yours you
won't even see it. This depends of course on having a proper model of your
entities (which we have).
-----Original Message-----
From: Alexander Klyubin [mailto:[EMAIL PROTECTED]]
Sent: 17 January 2001 17:25
To: Jboss-User
Subject: [jBoss-User] Security patterns
Hi!
Anybody knows of any security patterns in EJB or at least for jBoss.
Role-based method-level security is clearly not enough in most cases. How
can I externalize these finer-grained settings to some settings file or
database still using EJB concepts?
Security constraint example: Only owners can modify their User object,
Administrator can modify any User object.
Any useful links to sources of information appreciated.
Alexander Klyubin
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
List Help?: [EMAIL PROTECTED]
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
List Help?: [EMAIL PROTECTED]
