Meaningless Drivel is fun!
The moose likes EJB and other Java EE Technologies and the fly likes EJB object level security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » EJB and other Java EE Technologies
Bookmark "EJB object level security" Watch "EJB object level security" New topic

EJB object level security

Stefan Müller

Joined: Jun 25, 2008
Posts: 12
Hi *,
I'm trying to implement object-level security for my EJB application. It basically stores objects and performs several actions to the objects. What I need to do is allow only certain users to perform certain actions to certain object instances. From my point of view, this is not possible using the EJB security mechanism because this restricts the users only to certain actions regardless of the object being passed.
Let's give an example:

A user in role "sales" should be able to update only orders which were created in his departement. Currently, I can only restrict access to the updateOrder()-method.
My idea would be to assign a role not only to the user but also to the object instance (role could be the department in this case) and only if the user-role matches the object-role, he'll be able to perform actions to the object. Is there any native support in EJB for something like this?

- stefan
Paul Sturrock

Joined: Apr 14, 2004
Posts: 10336

Stefan Randsomething , please check your private messages.

JavaRanch FAQ HowToAskQuestionsOnJavaRanch
Bill Shirley
Ranch Hand

Joined: Nov 08, 2007
Posts: 457
Totally doable.

EJB 3.0

I'd even put this code in an intercepter as to not sully the purity of the session bean code. But, to each his own.

(Chapter 17: Security, p422: Programatic Security, Enterprise JavaBeans 3.0, Burke & Monson-Haefel, O'reily)

[ June 25, 2008: Message edited by: Bill Shirley ]
[ June 25, 2008: Message edited by: Bill Shirley ]

Bill Shirley - bshirley -
if (Posts < 30) JavaRanchFAQ);
Stefan Müller

Joined: Jun 25, 2008
Posts: 12
Okay, clear, that was my idea also to put additional security checking in an interceptor. The question is if that is the way with best performance. If anyone has other suggestions, go ahead...
I agree. Here's the link:
subject: EJB object level security
It's not a secret anymore!