Eddie,
Use your slsb or sfsb (the session manager) as your facade to the ejb for
all access. In your web.xml or client.xml, only refer to the slsb or sfsb as
an ejb reference. This means that your container will not allow you to get
the context for your entity ejb, so you won't be able to call any methods
from the client.
You can control security on your session manager by creating security
constraints for each method, or for method name patterns. This way, you can
allow the "client" role access to methods which get*, and "mutator" role
access to methods change*.
In orion, you map the roles to groups (role is a j2ee idea, whereas groups
is an Orion deployment specification). The groups are defined in the
principals.xml file of the META-INF directory for the ear file. The group to
role mapping is defined in all of the orion-*.xml files such as
orion-ejb-jar.xml, orion-web.xml, orion-application.xml. This allows the
same group to be assigned to different roles in different applications...a
good idea when you think that various jar/war/ear files may be from
different vendors, and have different names for their j2ee roles.
regards,
the elephantwalker
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Ed Bras
Sent: Saturday, September 15, 2001 3:09 AM
To: Orion-Interest
Subject: Restricting access to only Session Manager ?
Hellu,
How can I configure Orion and my J2EE application such that client
applications are only able to call the get methods of the entity beans ?
I want that all modification are done throw the Session Manager. The
Session manager functiones as an intermediate to the entity beans.
I am using CMP on Orion 1.5.1 with Java 1.3.
Eddie
