On Tue, Sep 10, 2002 at 10:28:50PM -0400, Jim Crossley wrote: > I'm looking for advice. What's the best practice for ensuring that, for > example, only members of a particular team are allowed to update projects > assigned to that team? Assume a Project EJB with an update method, if you > will. The J2EE role-based security mechanism cannot enforce that rule. > After reading the jboss for-pay docs and this fine article, > > http://www.javaworld.com/javaworld/jw-02-2002/jw-0215-ejbsecurity.html > > ...it would seem that a SecurityProxy could help me. But I'm confused about > how to determine which team the user is on, if I may continue with the > contrived example. I'm assuming I can obtain the caller's Subject instance > from the EJBContext. Would I then use the caller principal to look up the > team? Can I safely cache those lookup results to improve performance? > > Am I going in the right direction, or is there a better way? I think so. You need to use a securityProxy, and this will get the loginprincipal, which you can use to find the team, and check that this user isn't changing anything on another team.
> > Thanks much, > Jim > > > > ------------------------------------------------------- > In remembrance > www.osdn.com/911/ > _______________________________________________ > JBoss-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/jboss-user -- MVH Marius Kotsbak Boost communications AS ------------------------------------------------------- In remembrance www.osdn.com/911/ _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
