• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

EJB object level security

 
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi *,
I'm trying to implement object-level security for my EJB application. It basically stores objects and performs several actions to the objects. What I need to do is allow only certain users to perform certain actions to certain object instances. From my point of view, this is not possible using the EJB security mechanism because this restricts the users only to certain actions regardless of the object being passed.
Let's give an example:

A user in role "sales" should be able to update only orders which were created in his departement. Currently, I can only restrict access to the updateOrder()-method.
My idea would be to assign a role not only to the user but also to the object instance (role could be the department in this case) and only if the user-role matches the object-role, he'll be able to perform actions to the object. Is there any native support in EJB for something like this?

- stefan
 
Bartender
Posts: 10336
Hibernate Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Stefan Randsomething , please check your private messages.
 
Ranch Hand
Posts: 457
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Totally doable.

EJB 3.0

I'd even put this code in an intercepter as to not sully the purity of the session bean code. But, to each his own.

(Chapter 17: Security, p422: Programatic Security, Enterprise JavaBeans 3.0, Burke & Monson-Haefel, O'reily)

[ June 25, 2008: Message edited by: Bill Shirley ]
[ June 25, 2008: Message edited by: Bill Shirley ]
 
Stefan Müller
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Okay, clear, that was my idea also to put additional security checking in an interceptor. The question is if that is the way with best performance. If anyone has other suggestions, go ahead...
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic