Did you discribe your security solution in detail,Even include in component diagram or sequence diagram?
No, only what solution i selected for each client type and how credentials are exchanged between instance servers (if your architecture is distributed)
Would you be able to share how you have used the Mileage Account in FBN? Did you access the FMS database directly?
It's up to to choose the solution which meets all requirements,you should take in mind easy to use, performances,security, reliability, readonly or read/write requests...For the assignment i think that you have the choice between screen scraping and JDBC
Did you include the DAO ,EJB, Bussiness Delegate class in you class diagram?
Can you tell me your assumption's structure
My class diagram was neutral, only business objects. Read my first post for my documentation structure.In the assumptions chapter i tried to refine and clarify the use cases (without breaking the requirements), uses cases should be compatible,i wrote also what i understood from the interviews and the BDOM.
i have already gone thru redbook chaps on security.
JAAS is programmatic security .Can I implement JAAS on stand alone client in conjunction with declarative EJB security or I will have to call EjbContext methods getCallerP in my EJBs to perform authorization (programmatic EJB security).
Did you specify the components which will be protected/un protected or just the approach used will suffice.
Yes you can when JAAS is activated on the server, at application installation step, you map security roles to users/groups. You may use the default server implementation of JAAS or your own and you configure the server to use it, but i think that you don't have to go at this level of details. If your standalone application runs inside a J2EE client container and you configure CSIv2 standard, you have nothing to add. Usually getCallerPrincipal and isCallerInRole are used when you want a fine control on method execution; for example you may have constraint on a method execution : "if condition == true OK for the role defined in the security-role-ref element".You may also use getCallerPrincipal if you want to monitor and log travel agents activities.
The approach used will suffice
Can you share your PART III exam experience....?
How lengthy was your answer ...?
Don't worry about part III, i recommand to study carefully your submission before taking the test, your answers should be coherent with what you wrote in your documentation
[ October 21, 2005: Message edited by: Akar Rafidj ]