This week's book giveaway is in the Agile and Other Processes forum.
We're giving away four copies of The Little Book of Impediments (e-book only) and have Tom Perry on-line!
See this thread for details.
Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Some important doubts on security, Session and Entity beans....

 
Narasimha Rao B.
Ranch Hand
Posts: 205
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I am planning to take the exam in few days and i am having the below doubts in my mind for long time, please clarify them,


1. If a method of the Bean is not included in the <method-permission> element and it is not marked as <unchecked/>, means that method should not be accessed by any one?

2. Which are all the methods should be included in <method-permissions> or <unchecked/> sections? ( It is clear for transactions which are all should included and which are all should not include)

3. If a role is not mentioned in the <security-role> element. Then, Can this role access the methods declared as <unchecked/>?

4. If a bean is using <cmr-field>, Is these should declare in <ejb-ref> section or not?

5. In statefull session beans - in setSessionContext() method - Why couldn't i get the client information? - because, in this method, container knows from whom(client) it is creating the bean.

6. In stateleass session beans - in ejbCreate() method, How can i get the reference to EJBObject? because EJBObject is created when the client calls the create method and ejbCreate() is called when the container wants make the bean and keep into pool.

Thanks in Advance,
 
Valentin Crettaz
Gold Digger
Sheriff
Posts: 7610
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
1. If a method of the Bean is not included in the <method-permission> element and it is not marked as <unchecked/>, means that method should not be accessed by any one?

Section 21.3.2 of the EJB 2.0 specification:

It is possible that some methods are not assigned to any security roles nor contained in the exclude-list element. In this case, it is the responsibility of the Deployer to assign method permissions for all of the unspecified methods, either by assigning them to security roles, or by marking them as unchecked.


2. Which are all the methods should be included in <method-permissions> or <unchecked/> sections? ( It is clear for transactions which are all should included and which are all should not include)

Section 21.3.2 of the EJB 2.0 specification:

Method permissions are defined in the deployment descriptor as a binary relation from the set of security roles to the set of methods of the home and component interfaces of session and entity beans, including all their superinterfaces (including the methods of the EJBHome and EJBObject interfaces and/or EJBLocalHome and EJBLocalObject interfaces). The method permissions relation includes the pair (R, M) if and only if the security role R is allowed to invoke the method M.


3. If a role is not mentioned in the <security-role> element. Then, Can this role access the methods declared as <unchecked/>?

When you declare some methods unchecked you do not specify any role name.

Section 21.3.2 of the EJB 2.0 specification:

The Application Assembler uses the unchecked element instead of a role name in the method-permission element to indicate that a method should not be checked for authorization.


4. If a bean is using <cmr-field>, Is these should declare in <ejb-ref> section or not?

The <cmr-field> element is used in the <ejb-relationship-role> element in the <relationships> section of the deployment descriptor.

5. In statefull session beans - in setSessionContext() method - Why couldn't i get the client information? - because, in this method, container knows from whom(client) it is creating the bean.

When setSessionContext is invoked, the session bean has not yet been created, that is ejbCreate() has not yet been called on the session bean instance. Why would the session bean need client information if it has not yet been brought to life?

6. In stateleass session beans - in ejbCreate() method, How can i get the reference to EJBObject? because EJBObject is created when the client calls the create method and ejbCreate() is called when the container wants make the bean and keep into pool.

In ejbCreate() you can freely invoke getEJB(Local)Object on the session context that has just been set.

Hope this helps
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic