2 Replies Latest reply on Sep 8, 2010 9:10 AM by Jens Mander

    Secure access to ejb

    Jens Mander Newbie

      Hi,

       

      I need to secure the access to the bean MyBean. For example:

       

      /** some markup */
      
      void changeName(int id, String forname, String suname);
      
      void changeAge(int id, int age);
      
      void changeAll(int id, String forname, String surname, int age)
      /** some other methods */
      

       

      First of all the deployment descriptor defines a policy in the way that all methods of the bean MyBean are accessable for every defined role. Additionally it defines a specific policy for the changeAge-method so that only role1 is able to invoke this method. For invoking them directly all works fine but sometimes if the age is different from the current age the changeAll-method has to call the changeAge-method. And this is exactly the point. In this case the container can't handle the security check because the interceptor-object has already delegated the call to the concrete method (changeAll which is accessable for everyone) and changeAge is invoked normally.

      So I need a solution for this problem and I can't chance the client side method-invocations of the changeAll-method. Is there any kind of design patern to use or may anybody tell me how to determine if a role is able to invoke a specific method so I can check that manually?

       

      Thanks a lot

       

      Jens

        • 1. Re: Secure access to ejb
          jaikiran pai Master
          For invoking them directly all works fine but sometimes if the age is  different from the current age the changeAll-method has to call the  changeAge-method. And this is exactly the point. In this case the  container can't handle the security check because the interceptor-object  has already delegated the call to the concrete method (changeAll which  is accessable for everyone) and changeAge is invoked normally.

          Your changeAll should then look like (I'm assuming it's EJB3, if not let us know the exact EJB version):

           

          @Stateless
          @Remote (MyBeanInterface.class)
          public class MyBean implements MyBeanInterface
          {
          ...
          @Resource
          private SessionContext sessionCtx;
          ...
          public void changeAll()
          {
              // do something
              ...
              // call changeAge() (through a EJB proxy to apply the EJB semantics on the call
              MyBeanInterface myBeanProxy = this.sessionCtx.getBusinessObject(MyBeanInterface.class);
              // call on proxy
              myBeanProxy.changeAge();
          ...
          }
          
          • 2. Re: Secure access to ejb
            Jens Mander Newbie

            Hi,

             

            absolutely brilliant. Thanks a lot

             

            Regards

             

            Jens