Security of CMP

artemgolubev Feb 9, 2005 12:53 PM

Let us have table1 = (id int, text char(20)), where id is primary key.
Imagine the situation, that user1 asked access to table1 with id=1
and it was created a CMP bean, that contains data for this row.
Is it possible, that some user2 can access to this CMP object?

1. Re: Security of CMP

starksm64 Feb 9, 2005 1:03 PM (in response to artemgolubev)

The j2ee security model is role based and does not allow for constraints based on state of the call or target object. This can be done using a custom security interceptor in the ejb container.
Actions
2. Re: Security of CMP

craigdberry Feb 9, 2005 7:14 PM (in response to artemgolubev)

To clarify a bit, that it is role-based is a non sequitur; one could easily imagine (and not-quite-so-easily implement) role based access rules based on entity values.

The point is that the out-of-the-box EJB security model offers only control at the bean class level -- that is, users in role X can see beans of type Y but not Z.
Actions

Go to original post