I'm looking for advice. What's the best practice for ensuring that, for example, only members of a particular team are allowed to update projects assigned to that team? Assume a Project EJB with an update method, if you will. The J2EE role-based security mechanism cannot enforce that rule. After reading the jboss for-pay docs and this fine article,
http://www.javaworld.com/javaworld/jw-02-2002/jw-0215-ejbsecurity.html ...it would seem that a SecurityProxy could help me. But I'm confused about how to determine which team the user is on, if I may continue with the contrived example. I'm assuming I can obtain the caller's Subject instance from the EJBContext. Would I then use the caller principal to look up the team? Can I safely cache those lookup results to improve performance? Am I going in the right direction, or is there a better way? Thanks much, Jim ------------------------------------------------------- In remembrance www.osdn.com/911/ _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
