I am trying to solve a problem where I want to prevent certain codepaths in my app to do local JNDI lookup. Those codepaths run user-supplied code (scripts) and I don't want them to be able to lookup local SLSBs, etc. but only use an "official" API of ours.
This is what security manager and some kind of permission would be ideal for - the dangerous code would be run in an access control context WITHOUT some kind of permission to do the JNDI lookup while the rest of the application would have that permission.
When I saw the
org.jboss.as.naming.JndiPermission I thought I've found exactly that. But doing JNDI lookup without that permission still seems to work.
Is that a bug or a "feature"? How else should I approach my problem?
Of course, I could add an interceptor on all the EJB calls that would check for that permission (or lack of) but I don't like that approach that much because of the higher performance impact. It is better to do one check when looking up an EJB than to do the check every time the EJB would be used.