-
1. Re: does ejbCreate() require a permission
darranl Oct 24, 2005 6:49 AM (in response to vinay_ven)Yes you are missing the point, you are confusing the relationship between the create method on the home interface and the ejbCreate method of the bean implementation.
-
2. Re: does ejbCreate() require a permission
vinay_ven Oct 24, 2005 8:12 AM (in response to vinay_ven)Hi,
but there is no point in giving access rights to the call back methods right.
why should there be any permissions allotted to the callback methods.
ideally one would want to permission the business methods.
i would be grateful if you can please clarify.
Thanks
vinay -
3. Re: does ejbCreate() require a permission
darranl Oct 24, 2005 8:22 AM (in response to vinay_ven)But the message is not about securing the callback methods, the callback methods are ejbCreate and ejbRemove and when these are called is not directly related to the calls from the client.
The method you are securing is the create method of the home interface and the reason for securing this is to say which users are allowed to get access to the components remote interface. -
4. Re: does ejbCreate() require a permission
vinay_ven Oct 24, 2005 8:32 AM (in response to vinay_ven)Hi,
thanks a lot for your help.
but once you have given permissions to the business methods, is there any point in controlling access to remote object creation?.
let us assume that a user who does not have access to any of the business method logs in , in that case the container would anyways throw a security exception.
I think we need to put in unecessary code and this would also mean that if i have configured 20 roles for the bean for 20 different business methods, all of them will have an entry for the create method will is really a pain.
please correct me if i'm wrong.
thanks a lot agian for your help
lookiing for to your reply
Thanks
Vinay -
5. Re: does ejbCreate() require a permission
darranl Oct 24, 2005 8:46 AM (in response to vinay_ven)Ok in that scenario instead of specifying the roles in the
<method-permission>
element you can add an element<unchecked/>
to disable the checking of the roles. -
6. Re: does ejbCreate() require a permission
vinay_ven Oct 24, 2005 9:00 AM (in response to vinay_ven)Hi,
sorry i've not used the unchecked option. but can it be applied at a method level or at a class level?
if it can be applied at the class level, then it would be difficult because i need to permission some business methods.
looking forward to your reply
Thanks
Vinay -
7. Re: does ejbCreate() require a permission
darranl Oct 24, 2005 9:10 AM (in response to vinay_ven)It can be applied at method level, basically you would define a method-permission element that contains method elements that describe the method you do not want security checks for - within this method-permission you would put the unchecked element instead of adding the role-name elements.
<method-permission> <unchecked/> <method> <ejb-name>EmployeeService</ejb-name> <method-name>*</method-name> </method> </method-permission>
The remaining methods can be secured in the same way that you are currently securing them. -
8. Re: does ejbCreate() require a permission
vinay_ven Oct 24, 2005 9:45 AM (in response to vinay_ven)thanks a lot for your help.