I've created a little EJB application consisting (for now) only of
Entity Beans. The data will be viewed using JSP and there's a
standalone application to manipulate the data. This works fine, up to
now. But now I introduced a new role "Administrator" and added a
security constraint to allow access to the setters of the beans only
to callers in the role Administrator. This works fine, too, access to
the setters is now denied.
The problem is, I have no idea how to authentificate the users in my
administration app. What I want to do is to display a login dialog
(username/password) to authenticate the user and give him access to
the setters. I suppose, I need a Session Bean for this. But I don't
know how to set the security context. I now included a call to
entityContext.getCallerPrincipal() in a method of a bean and print the
result out. But I don't get a "guest", is I expected, but a
java.lang.IllegalStateException: no security context exists.
Can anyone give me a starting point?
And another thing: My entity beans have a method update() which does a
"batch-update" of the fields using a hashtable. I did this to be able
to update many fields in one transaction using container managed
transactions. If I call this method (which in turn calls the setters),
I don't get any SecurityException as I expected. Is it true, that no
security checking is done anymore when calling methods from within a
bean (i.e. if the call to update() is OK, then the calls to set*() are
OK, too)?
--
(o_ Raffael Herzog
//\ [EMAIL PROTECTED]
V_/_
May the penguin be with you!
----
To unsubscribe, send email to [EMAIL PROTECTED] and
include in the body of the message "unsubscribe jonas-users".
For general help, send email to [EMAIL PROTECTED] and
include in the body of the message "help".
