3 Replies Latest reply on Oct 4, 2005 12:43 AM by Simon Kitching

    security: finer grained than method access?

    Kevin Bowen Newbie

      I'm a newbie to j2ee/ejb/jboss, so this may be a stupid question, but if someone could point me in the right direction I'd appreciate it.

      Is it possible to do role based security constraints on things at a finer grain than method access? For instance, on the arguments passed to a setter on an entity bean? In other words, I want to constrain the values that it's possible to set a bean property to, but have the constraints vary by the user/role calling it. Is this possible?

        • 1. Re: security: finer grained than method access?
          Simon Kitching Newbie

          Your code can call

          if (ejbContext.isCallerInRole("some-role-name")) {
          ...
          }

          where ejbContext is of type javax.ejb.EJBContext.

          Is this what you were looking for?

          • 2. Re: security: finer grained than method access?
            Kevin Bowen Newbie

            so are you saying I should put those calls in the code of my setters? If this is an entity bean we're talking about, won't that prevent the bean from getting set up properly? If I'm understanding things correctly, doesn't the entity manager, when it instantiates an entity bean, do a new() and then call the beans setters with the values it finds in the database? So if I have user/role checks in the code of my setters, won't they fail when called by the entity manager? What would isCallerInRole return when being called during initial setup of an entity bean by the entity manager?

            • 3. Re: security: finer grained than method access?
              Simon Kitching Newbie

              Well, this sort of stuff about who is allowed to assign what values to certain entity bean properties is really *business rules*. And business rules are supposed to reside in the session beans, not in the entities. Entity beans should never be exposed directly to "users", only accessed via session beans.

              Calls to ejbContext.isUserInRole will work fine in the session beans...