The way we do it is to use getCallerPrinciple() and then use the username as
part of our queries. So this all happens inside a Session Bean with role
based security.
Doesn't require any weird non-standard approach.
-----Original Message-----
From: Wood, Alan [mailto:[EMAIL PROTECTED]]
Sent: 31 January 2001 18:52
To: '[EMAIL PROTECTED]'
Subject: [jBoss-User] Entity Security
I apologize if this message is being sent out to the wrong group. If
someone can recommend a better mailing list, please inform me so I can post
questions like this on those groups instead.
I've been trying to get my head around how to program an EJB system with
JBoss...
One thing we need that I haven't seen anyone address is this:
How would one go about doing instance level security? By this, I mean that
lots of people may have access to Bean "B" (in the sense that their role
lets them use it) but the various instances of Bean "B" are secured by roles
as well.
B ----------- PK: 1
\--------- PK: 2
\-------- PK: 3
User1: Role_Read_B, PK1_Read, PK2_Read
User2: Role_Read_B, PK1_Read, PK3_Read
User3:
User3 would be restricted from using "B" at all...
User2 would be able to get to instances "1" and "3" of bean "B"...
User1 would be able to get to instances "1" and "2" of bean "B"...
(Of course the full solution would include "groups" of Bean "B"'s that have
roles...not individual PKs, but this is for illustration purposes)
There are a number of ways to do this, but I was wondering if someone has
come up with a good pattern that works inside of EJB well. Since I haven't
started to do any type of prototyping or coding yet I have little practical
experience in anticipating what EJB will throw my way.
There seems to be a common pattern of wrapping entity beans in session beans
(which I don't fully understand yet). So, security calls could be made
there, or they could be made at the entity level. But where should they be
so that people can't "gain access" illegally?
Ideally, the security layer should be transparent to the application
developer....
Thanks,
Alan Wood
Alan J. Wood
Software Engineer
Genaissance Pharmaceuticals
**********************************************************************
This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. This communication may contain materials protected
by the attorney-client privilege. If you are not the intended recipient or
the person responsible for delivering the e-mail to the intended
recipient, be advised that you have received this e-mail in error and
that any use, dissemination, forwarding, printing, or copying of this e-mail
is strictly prohibited. If you have received this email in error please
immediately notify the sender by telephone at 203-786-3421. You will
be reimbursed for reasonable costs incurred in notifying us.
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
**********************************************************************
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
List Help?: [EMAIL PROTECTED]
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
List Help?: [EMAIL PROTECTED]
