Hi.
There is a need to implement database-driven security layer with minimal possible coding. The administrator should have ability to manage roles, users, privileges and so on via web services interface. Investigating this problem i came to the solution of using PolicyConfiguration to set all necessary permissions in PolicyContext which makes all work done. It looks like

PolicyConfigurationFactory pcFactory = PolicyConfigurationFactory.getPolicyConfigurationFactory();
 PolicyConfiguration pc = pcFactory.getPolicyConfiguration("my.jar", true); //TODO

 pc.addToRole("admin", new EJBMethodPermission("MyFacade", "MyEndpoint", MyFacade.class.getMethod("testAuth", new Class[] {})));

In the real app operation name ("testAuth") and role name ("admin") will be read from the DB.

The only doubt i have is how legal is using PolicyConfiguration in the application since javadoc states that "The methods of this interface are used by containers"?


thanx, eugen.