Re: question about access control validation

[Esposito, Francis (Exchange)]

This is similar to what we would like to do.  We are not planning on putting
any security within the beans themselves.  This way we can maximize reuse
and de-coupled them from a security model which may change.  In our case we
will be separating authentication and entitlements from the business objects
(beans and EJBs).  The security model will be imposed when the bean is used.

> -----Original Message-----
> From: Richard A. Sand [SMTP:[EMAIL PROTECTED]]
> Sent: Sunday, May 23, 1999 9:48 PM
> To:   [EMAIL PROTECTED]
> Subject:      question about access control validation
>
> Hi folks,
>
> In the JSP model with a servlet receiving the request, instantiating a
> bean and returning it to a JSP (model II?), where is the best/proper place
> to do access control validation?  Say I have a servlet that uses a bean to
> access a page in a database.  The servlet receives information to
> authenticate in the request- assume its just a userid and a password.
> Should I have the servlet authenticate the userid and password before
> instantiating the bean, or should I pass the info to the bean and have it
> authenticate before it calls the database?  Does it matter w.r.t.
> security, and is there a proper place to do this?
>
> Thanks!
>
> -Richard


***********************************************************************
Bear Stearns is not responsible for any recommendation, solicitation,
offer or agreement or any information about any transaction, customer
account or account activity contained in this communication.
***********************************************************************

===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff JSP-INTEREST".  For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".