wood burning stoves*
The moose likes EJB and other Java EE Technologies and the fly likes how to restrict the user in ejb? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » EJB and other Java EE Technologies
Bookmark "how to restrict the user in ejb?" Watch "how to restrict the user in ejb?" New topic
Author

how to restrict the user in ejb?

senthil sen
Ranch Hand

Joined: Oct 10, 2002
Posts: 184
i want to restrict the users for the bean?
how can i do this?
if i change the instance pool of the server,the entire clients accessing the beans will be restricted..
so i want to restrict the user to that particular bean?
can i do this in deployment descriptor of the weblogic??
how many ways can we do this??
Kyle Brown
author
Ranch Hand

Joined: Aug 10, 2001
Posts: 3892
    
    5
You can't restrict a user to a particular bean instance -- the EJB specification does not allow that -- security is role based, and not instance based. The closest you can come is to have code in each of your bean methods that says (in effect -- I'm working from memory here as to the method names)
Principal principal = getCallerPrincipal();
if ((principal == "Bob") && (someInstanceVar == "some identifier")) {
// allow access to logic
} else {
// disallow access to logic and throw exception
}
Kyle


Kyle Brown, Author of Persistence in the Enterprise and Enterprise Java Programming with IBM Websphere, 2nd Edition
See my homepage at http://www.kyle-brown.com/ for other WebSphere information.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15962
    
  19

Like Kyle said, security in J2EE is role-based. Bob may get fired tomorrow, but someone else may take over his duties.
So the better way of handling things like this is to analyze the system as a whole and determine what roles exist. For example "ranchhand", "bartender", "sheriff", etc. Then you can restrict access to the system components (both ejb and otherwise) based on those roles. If, for example, a JavaRanch message thread is managed by an EJB, you could take advantage of the fine-grained access control to allow only the "bartender" and "sherrif" role users to invoke the method that moves the thread to a more appropriate forum.


Customer surveys are for companies who didn't pay proper attention to begin with.
Michael Arndt
Greenhorn

Joined: Feb 25, 2003
Posts: 21
Hi. first I would like to comment Kyles post:

Principal principal = getCallerPrincipal();
if ((principal == "Bob") && (someInstanceVar == "some identifier")) {
// allow access to logic
} else {
// disallow access to logic and throw exception
}

The Method getCallerPrincipal() and isUserInRole(String rolename) are defined in the EJBContext interface. And comparing "Bob" with a Principal might work better like this:

And then, like Tim said, roles are the by far better approach. In the deployment descriptor you can map declarative roles to programmatic approaches ...

and in the ejb-jar.xml:
Kyle Brown
author
Ranch Hand

Joined: Aug 10, 2001
Posts: 3892
    
    5
I think that everyone is missing part of the issue raised in the original post and in my response.
Let's suppose that we have Entity Beans representing Bank Accounts. We want to restrict people to only viewing their OWN accounts, and not those of others.
We can't create a role for each user, that's ridiculous. Instead we have to have an "AccountOwner" role that all Entity beans are controlled under. But that doesn't keep me from looking at your account balance -- if we're both AccountOwners then I have full access to all Accounts, yours included.
So you have to qualify "Getter" methods in Session beans by wrapping your entities like so:
public BigDecimal getAccountBalance(String accountId) throws AccountAccessException {
// standard stuff to get the Home from the
// InitialContext
Account acct = (Account) home.findByAccoundId(accountId);
String owner = acct.getOwner();
if (ctx.getCallerPrincipal.getName().equals(owner)) {
return acct.getAccountBalance();
}
else throw new AccountAccessException("No access to this account from this user");
}

Does this make sense?
Kyle
Michael Arndt
Greenhorn

Joined: Feb 25, 2003
Posts: 21
Hi Kyle.
I guess we are running into the old problem, that the j2ee spec does not handle security very well. The bank account example is a quite good one: The clerk in a bank might want to get the balance, too. Then the father wants to be able to take a look at the childs account, but is not the owner etc.
I think JAAS offers a quite nice and better approach to handle situations like these. And there may be other specs and frameworks as well, but I only know this one (if you only know a hammer every problem is a nail ).
Best regards,
Michael.
senthil sen
Ranch Hand

Joined: Oct 10, 2002
Posts: 184
thanks guys,
what if i want to develop a j2ee application which can restrict the number of users,
say for example if i want only a certain number of users to use a particular bean,how can i do this??what are the ways to do this??
Michael Arndt
Greenhorn

Joined: Feb 25, 2003
Posts: 21
what kind of behaviour do you plan? Something like "TooManyConcurrentUsesException" or a waiting/blocking behaviour? Is it a small amount of beans or do you want to limit access to all beans?
I think of a managed resource with a max. number of concurrent users, similar to a connection pool.
Dana Hanna
Ranch Hand

Joined: Feb 28, 2003
Posts: 227
Could you not use a JAAS callback to get the accesible accounts for the current principal based on the underlying database (through ejb or direct sql)? The underlying SQL would say (assuming many-many user-account relationship, many other sql statements are possible):
select ua.acct_id
from user_acct ua
where ua.uid = ?1
Im very new to JAAS, but this seems to be the purpose...
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: how to restrict the user in ejb?
 
Similar Threads
JTextField length restriction...
JavaHelp Security
How to control the instances of my application
client validation
set the max length of a JTextField