Elephantwalker,
I see what you mean now, thanks.
But I already do this. That is, The web.xml only refers to the ejb which is
the slsb. Was just wondering how you can tell the ejb module/part that only
the slsb part may be accessed.
If understand you correctly I should do this through the security role
mapping, or not ??
Thanks,
Eddie
- Original Message -
From: The elephantwalker [EMAIL PROTECTED]
To: Orion-Interest [EMAIL PROTECTED]
Sent: Sunday, September 16, 2001 2:17 AM
Subject: RE: Restricting access to only Session Manager ?
The point was to use the facade pattern. Only access the entity bean in
the
slsb, and use slsb methods from the servlet or client to mutate date AND
get
data. You can also use authentication role's on your slsb methods to
restrict or prevent access.
This is what we on our www.elephantwalker.com site. We never access an
entity bean directly from a servlet, but use a slsb to do this. This way
we
are sure that the correct business methods are be used and coordinated.
Even if we tried to access an entity bean method, we wouldn't be able to
look up the context of the entity bean in the servlet.
Regards,
the elephantwalker
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Eddie Post
Sent: Saturday, September 15, 2001 1:33 PM
To: Orion-Interest
Subject: RE: Restricting access to only Session Manager ?
Elephantwalker,
Thanks (see below)
an ejb reference. This means that your container will not allow you to
get
the context for your entity ejb, so you won't be able to call any methods
from the client.
But then I also can't call the entity get methods ??, or can I ?. Which is
what I want.
Eddie
From: The elephantwalker [EMAIL PROTECTED]
Reply-To: Orion-Interest [EMAIL PROTECTED]
To: Orion-Interest [EMAIL PROTECTED]
Subject: RE: Restricting access to only Session Manager ?
Date: Sat, 15 Sep 2001 09:31:55 -0700
Eddie,
Use your slsb or sfsb (the session manager) as your facade to the ejb for
all access. In your web.xml or client.xml, only refer to the slsb or sfsb
as
an ejb reference. This means that your container will not allow you to
get
the context for your entity ejb, so you won't be able to call any methods
from the client.
You can control security on your session manager by creating security
constraints for each method, or for method name patterns. This way, you
can
allow the client role access to methods which get*, and mutator role
access to methods change*.
In orion, you map the roles to groups (role is a j2ee idea, whereas
groups
is an Orion deployment specification). The groups are defined in the
principals.xml file of the META-INF directory for the ear file. The group
to
role mapping is defined in all of the orion-*.xml files such as
orion-ejb-jar.xml, orion-web.xml, orion-application.xml. This allows the
same group to be assigned to different roles in different
applications...a
good idea when you think that various jar/war/ear files may be from
different vendors, and have different names for their j2ee roles.
regards,
the elephantwalker
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Ed Bras
Sent: Saturday, September 15, 2001 3:09 AM
To: Orion-Interest
Subject: Restricting access to only Session Manager ?
Hellu,
How can I configure Orion and my J2EE application such that client
applications are only able to call the get methods of the entity beans ?
I want that all modification are done throw the Session Manager. The
Session manager functiones as an intermediate to the entity beans.
I am using CMP on Orion 1.5.1 with Java 1.3.
Eddie
_
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp