security

What should be the basis to decide to use only declarative security control ? on the same lines what should be the guiding principle to go for application code to implement to control the security? any thoughts?

Declarative security is at the class level.You specify which methods a particular role can call but it means that role call the method on any instance. But if you need instance level security then the programmatic security is the way to go.

For example: When a guy wants to delete a product, somewhere it has to be checked if he is the owner of the product or if he has special privilege to delete the product (like an admin or something). This can be done only within programmatic security.
Whereas if you do not want a whole marketing department to delete products then you can specify declarative security to prevent them from calling the delete method itself.

Hope this helps!!!

Prabhakar Edward
SCJP 1.2
SCWCD 1.4

as for as ejb 2 is considered..
declarative security is the best one..also as prabhakar mentioned its for class level or bean level.
if you want bean instances level go for programmatic one.
but try to avoid it is what every everyone says.

hope this helps.

declarative security is the best one.

Declarative security (or rather, declarative authorization/authentication - security ecompasses much more) may be easiest to use, because the container does a lot of the work. But security requirements differ so widely between projects that I find it hard to support a blanket statement like this.

may be the security requirements require you to use programmatic one.
but think.once you use programmatic security you are locking the bean developer( in EJB )to be tight with operational environment which should not be the case.bean developer should not be thinking about where his beans end up.so how could he say a role named " admin" has acces to it.in an operational environment admin would be something else meant to.

and also main thing when you use programmatic security your program reuse is locked down.also it doesnt support much component development logic.
[ August 28, 2006: Message edited by: cheenu Dev ]

Can anybody give example of Declarative security in deployment descriptor?

Originally posted by cheenu Dev:
once you use programmatic security you are locking the bean developer( in EJB )to be tight with operational environment which should not be the case.bean developer should not be thinking about where his beans end up.so how could he say a role named "admin" has acces to it.in an operational environment admin would be something else meant to.

and also main thing when you use programmatic security your program reuse is locked down.also it doesnt support much component development logic.

I don't see where the operational environment comes into play, why the developer needs to consider where the code is running, or what this has to do with component development.

To give a simple example of what I mean by programmatic security, let's say there are two user groups called "foo" and "bar". Both are allowed to retrieve records of type "baz", but which ones they are allowed to see depends on which group they belong to. This is a very common situation.

Using declarative security we can restrict foo users to calling the "getAllBazForFoo" method, while bar users are restricted to "getAllBazForBar". So far, so good. But we still need to have code somewhere that distinguishes between both groups, something like:

if (isCallerInRole("foo")) getAllBazForFoo(); else (isCallerInRole("bar")) getAllBazForBar();

As an alternative, we might just as well not use declarative security, and keep this code inside a "getAllBaz" method where the distinction is made.

This kind of logic will be part of the code; the only unknown is, who is part of which role - that is up to the container to determine. It could even break down onto the user level, which makes the container-provided authorization control unusable, because we do not want to declare a role for each user.

hey did you forgot if you do the coding as shown by you..
you will have to do this:
<security-role-ref><role-name> -- closing tags

not with that alone..may be as developer your part is over.
then app assembler needs to put this
<role-link>

where role-link links to role that app assembler created logically.

then again deployer has to map those abstract roles to the real roles in the operational environment. oops these things need to happen.

i do accept in certain (many) cases as developers all will tend to use the programmatic security a lot.

i accept other peoples view and discussion in this topic..as our views might be different than that of them.

If we do what cheenu is suggesting then we do not need to do anything programmatically for security as shown in the if ...(foo)...right??

Declarative security alone is not sufficient for a successful security implementation in a EJB project. You need to do both declarative and programmative security, depending upon your security requirements.

Its not a case of which one is good (or) which one is bad. You need to analyze the security requirements and come to a decision as to what will make your life easier.

i do accept dawson point of view.

as for veena madhukar
i did not suggest that you should not use programmatic security.
i just stressed its facts with its counterpart the declarative one.

[ August 29, 2006: Message edited by: cheenu Dev ]
[ August 29, 2006: Message edited by: cheenu Dev ]