0 Replies Latest reply on Jun 25, 2004 10:38 AM by snavjot

    Proper Usage of Security at WEB and EJB layer?



      I have just read an article on javaworld about j2ee/jaas.

      I understand that there will be apps that do care about the method level security of enterprise beans. be it session or entity. With entity beans, probably, this is J2EE answer to cope with database level user permissions.

      But most apps hardly need this method level restrictions. All they are concerned about is the security at the WEB layer.

      I just want my application to be secure in terms of USERs/ROLEs at WEB layer where i can specify that action A can be called by Role R and that's it. Which session bean they call and further which entity bean gets called. I don't care. But i think that this way my enterprise beans can be called by anyone.

      Now what i want is something like this that every request to enterprise bean carries 1 ROLE defined by me in my WEB APP. All of my enterprise beans will be security-constrained by that 1 ROLE.

      How can i go about it? Please comment if you find that my approach is wrong. Please suggest what should i do then.

      Any help or pointers.
      Navjot Singh