If I needed simple role-based access control I wouldn't have used an interceptor.
OK, I have two WebApps, an admin WebApp and a users WebApp. Because I want the two WebApps to have separate namespaces for usernames, I have given them separate security domains. Thus, an admin user and a regular user could, theoretically, have the same username and my system would handle that perfectly well. In the past I have used one security domain and had to mess with usernames to artificially ensure namespace separation. With separate domains, I don't need to and the system can be more flexible and robust at the same time. For one of the WebApps - the admin WebApp - the standard declarative J2EE arrangements will work just fine. I wouldn't need a proxy to support this app's access to the EJB - it can be controlled on role. The other WebApp supports users. Unfortunately, access to the target EJB from this WebApp needs to be controlled based on a complex resource ownership test - there are no roles which could be used to determine whether the call should be allowed or not. Without the interceptor, any user could act upon any entity represented by the EJB whether they owned it or not by simple URL hacking. I don't want to do the ownership test in the presentation layer since they presentation layer will be replaced. I could do the test in the EJB but I then have to replicate the test across all the controlled methods. Thanks for your help though guys, I appreciate it. I guess I'll put the test in the EJB. Regards, Dave View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3856259#3856259 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3856259 ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
