Hi *, I'm trying to implement object-level security for my EJB application. It basically stores objects and performs several actions to the objects. What I need to do is allow only certain users to perform certain actions to certain object instances. From my point of view, this is not possible using the EJB security mechanism because this restricts the users only to certain actions regardless of the object being passed. Let's give an example:
A user in role "sales" should be able to update only orders which were created in his departement. Currently, I can only restrict access to the updateOrder()-method. My idea would be to assign a role not only to the user but also to the object instance (role could be the department in this case) and only if the user-role matches the object-role, he'll be able to perform actions to the object. Is there any native support in EJB for something like this?