2 Replies Latest reply on Feb 9, 2005 7:14 PM by Craig Berry

    Security of CMP

    Artem Golubev Newbie

      Let us have table1 = (id int, text char(20)), where id is primary key.
      Imagine the situation, that user1 asked access to table1 with id=1
      and it was created a CMP bean, that contains data for this row.
      Is it possible, that some user2 can access to this CMP object?

        • 1. Re: Security of CMP
          Scott Stark Master

          The j2ee security model is role based and does not allow for constraints based on state of the call or target object. This can be done using a custom security interceptor in the ejb container.

          • 2. Re: Security of CMP
            Craig Berry Newbie

            To clarify a bit, that it is role-based is a non sequitur; one could easily imagine (and not-quite-so-easily implement) role based access rules based on entity values.

            The point is that the out-of-the-box EJB security model offers only control at the bean class level -- that is, users in role X can see beans of type Y but not Z.