3 Replies Latest reply on Mar 23, 2004 11:45 AM by jboss fan

    bean method parameters used in permission checks?

    davout Newbie

      I'm building my first EJB system and have a question about how permissions may be applied to bean methods where the data parameters passed to the method need to be part of the permission check.

      Take an example of where I have a session bean that supports the maintenance of currencies and currency exchange rates.

      For basic CRUD type operations like 'addCurrency' I can use role based security to manage access..

      However, assume that I have a a method like....

      setRate(String aCurrency, Date aDate, double aRate)

      I want to define permissions about who can set rates for different currencies. where only 'fred' can set 'US Dollar' rates, but only 'louis' can set 'Euro' rates.

      Does JBoss include any facilities to handle this type of requirement?

        • 1. Re: bean method parameters used in permission checks?
          jboss fan Newbie

          could you refer to the "How to handle dynamic authorization?" thread. i have a similar requirment, and I've requested Scott if it's actually possible to have an enhancement to add/remove certain transient roles.

          But the bottomline, as I understand it, is that you cannot leverage declarative J2EE security when your roles have to be ascertained dynamically on a per-call basis. You would have to either establish the roles at login time, or go for your own custom role mechanism.

          • 2. Re: bean method parameters used in permission checks?
            davout Newbie

            I sort of assumed straight off that the standard EJB role based declarative permission design wouldn't be able to handle this.

            But given what this business problem is hardly unique, I was wondering whether there was a library/module out there that would tackle this??!!??

            • 3. Re: bean method parameters used in permission checks?
              jboss fan Newbie

              Absolutely my thoughts. Most businesses, as I'm aware of have the needs to evaluate roles based on the relation of the person/system to the entity being acted upon. We have numerous such cases:

              1) Manager updating his/her direct report's data
              2) Group owner updating their group's settings/adding members to their groups et al.

              Unfortunately, looks like we all have to reinvent the wheel, I guess?!