Creating the a security proxy layer is the most flexible and maintains the
integrity of the business logic. Security is more a function of where the
business component is deployed rather than a function of the business
component operation and the two should be separated.
You can code completely portable security using a proxy pattern where
you introduce a security proxy ejb for each business object that needs
custom security.
Alternatively you can use an application server specific hook that allows
you to focus just on the security model.
xxxxxxxxxxxxxxxxxxxxxxxx
Scott Stark
Chief Technology Officer
JBoss Group, LLC
xxxxxxxxxxxxxxxxxxxxxxxx
----- Original Message -----
From: "Joel Boehland" <[EMAIL PROTECTED]>
To: "JBOSS_USER" <[EMAIL PROTECTED]>
Sent: Tuesday, October 09, 2001 4:12 PM
Subject: [JBoss-user] Fine grained security & JBOSS
> Hi,
> I'm hoping to get some feedback from the JBoss crew on
> how folks are implementing fine-grained security
> access on their application objects. I understand how
> to use JAAS and EJB security to provide coarse grained
> security (For instance, making the call the the
> removeUser() method in a SessionBean be mapped to the
> "admin" role), but I'm wondering how folks are
> implementing security on a per-object basis, or state
> dependent basis. For instance, Let's say you have a
> Document EJB with a content field. You have a method
> editContent(String newContent), that you want to
> restrict to owners/editors of that particular document
> EJB. How are folks implementing security access like
> this?
>
> One way I have thought of, using JBOSS+JAAS would be
> to create a role:
> "DOCUMENT_EDITOR.<document-id>" for every document
> object. So, if a user created a new Document EJB, with
> an id of 456, I would enter a role:
> "DOCUMENT_EDITOR.456" into the roles table and map it
> to that user's Principal object. Then in the Document
> EJB editContent() method I would have:
>
> public void editContent(String newContent){
> long id = getId(); //get the id for this bean
> String requiredRole = "DOCUMENT_EDITOR."+id;
>
> if(ejbContext.isCallerInRole(requiredRole)){
> //allow the edit...
> }
> else{
> //throw some access exception here...
> }
> }
>
>
> What do folks think of this approach? Any other
> ideas/implementations? Are there any standard j2ee
> access-control api's out there that I'm not aware of?
> I'd like to get some feedback on this before I commit
> to an implementation, so if anybody has any other
> ideas, links to docs, etc, I'd appreciate it.
>
>
> Thanks!
> --Joel
>
> __________________________________________________
> Do You Yahoo!?
> Make a great connection at Yahoo! Personals.
> http://personals.yahoo.com
>
> _______________________________________________
> JBoss-user mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/jboss-user
>
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user
