aspose file tools*
The moose likes EJB and other Java EE Technologies and the fly likes Managing authorization Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Soft Skills this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Java » EJB and other Java EE Technologies
Bookmark "Managing authorization" Watch "Managing authorization" New topic
Author

Managing authorization

JeanLouis Marechaux
Ranch Hand

Joined: Nov 12, 2001
Posts: 906
Sounds like a very very simple question for you gurus.
I plan to use J2EE declarative authorization.
1) I've got protected Web resources (jsps). Only the role "admin" can access it.
What occurs if a user associated to another role try to access it.
Is it a HTTP 403 error ? If yes, how can I send the error page in a user-friendly form ?
Do I have to use the < exception-type > 403 < exception-type > to associate it to my "beautiful html page" or is there something else better to implement ?
2) Let's say I have the same authorization rule for an EJB method this time.
What occurs when a usre not in the admin role try to access the EJB ? Any specific exception ?
Maybe I'm out of the track.
If you know a better way to manage authorization for web application, please give me clues or urls to refer to.
(My aim is to avoid programmatic security.)
[This message has been edited by Bill Bailey (edited December 19, 2001).]
[This message has been edited by Bill Bailey (edited December 19, 2001).]


/ JeanLouis<br /><i>"software development has been, is, and will remain fundamentally hard" (Grady Booch)</i><br /> <br />Take a look at <a href="http://www.epfwiki.net/wikis/openup/" target="_blank" rel="nofollow">Agile OpenUP</a> in the Eclipse community
JeanLouis Marechaux
Ranch Hand

Joined: Nov 12, 2001
Posts: 906

Should I rather use an Intercepting Filter to manage authorizations ?
JeanLouis Marechaux
Ranch Hand

Joined: Nov 12, 2001
Posts: 906
Sounds like I'm alone with this thread
The answer to question 2 is : java.lang.SecurityException
I'm still a little bit confused with authorization process.
I think the J2EE specification is fuzzy about that part.
JeanLouis Marechaux
Ranch Hand

Joined: Nov 12, 2001
Posts: 906
oK, I think I got it now.
Accessing protected resource :
- Error.jsp dispayed is auhentication failed
- Http 403 if authentication succeed and authorization failed
- Protected resource displayed if both succeed.
(This is how it is inplemented in AppServers, but I can't see any reliable info in the specs about the http 403 error)

Sorry if I bothered you with my rookie problem
[This message has been edited by Bill Bailey (edited December 21, 2001).]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Managing authorization