3 Replies Latest reply on Oct 4, 2005 12:43 AM by skitching

    security: finer grained than method access?

    kbowen9
    kbowen9 Sep 29, 2005 6:42 PM

      I'm a newbie to j2ee/ejb/jboss, so this may be a stupid question, but if someone could point me in the right direction I'd appreciate it.

      Is it possible to do role based security constraints on things at a finer grain than method access? For instance, on the arguments passed to a setter on an entity bean? In other words, I want to constrain the values that it's possible to set a bean property to, but have the constraints vary by the user/role calling it. Is this possible?

      • 3405 Views
      • Tags:
        • 1. Re: security: finer grained than method access?
          skitching
          skitching Sep 29, 2005 9:08 PM (in response to kbowen9)

          Your code can call

          if (ejbContext.isCallerInRole("some-role-name")) {
          ...
          }

          where ejbContext is of type javax.ejb.EJBContext.

          Is this what you were looking for?

            • Actions
          • 2. Re: security: finer grained than method access?
            kbowen9
            kbowen9 Sep 30, 2005 3:57 PM (in response to kbowen9)

            so are you saying I should put those calls in the code of my setters? If this is an entity bean we're talking about, won't that prevent the bean from getting set up properly? If I'm understanding things correctly, doesn't the entity manager, when it instantiates an entity bean, do a new() and then call the beans setters with the values it finds in the database? So if I have user/role checks in the code of my setters, won't they fail when called by the entity manager? What would isCallerInRole return when being called during initial setup of an entity bean by the entity manager?

              • Actions
            • 3. Re: security: finer grained than method access?
              skitching
              skitching Oct 4, 2005 12:43 AM (in response to kbowen9)

              Well, this sort of stuff about who is allowed to assign what values to certain entity bean properties is really *business rules*. And business rules are supposed to reside in the session beans, not in the entities. Entity beans should never be exposed directly to "users", only accessed via session beans.

              Calls to ejbContext.isUserInRole will work fine in the session beans...

                • Actions