This might not be supported in future?
Currently in JBoss the same thread that accepts the
rmi request, calls the bean. This might be changed
in a future version.
Is there then a way to accomplish the same thing in a way that won't break? i.e., is there a "right" way to do this?
What are you trying to do with ip address?
We have a sensitive application. One of the security checks that we do is to make sure that our methods are being invoked from a "known host".
You shouldn't really code security into the bean.
Especially, since it won't catch all methods.
Some of the methods are implemented by the
container (your code in the bean won't stop these).
If you want to deny access from an ip address have a
add a customized socket that only accepts certain
This puts your check in the RMI layer which will
always allow your code. It will also trap all access.
Adrian, thanks - haven't checked back in awhile. This entire EJB is an authentication/authorization module. We'll have methods like authenticate(userid, password) and isApplicationEnabled(userid, appplid). I'm aware of (but not conversant in) the security mechanism in the EJB framework, but we want something that will work for all our applications, and is more fine-grained than just roles. So we are rolling our own. Rather than filter out unknown hosts at the RMI level, I'd rather let them through then reject them through our standard hierarchy of exceptions.