• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Some important doubts on security, Session and Entity beans....

 
Ranch Hand
Posts: 205
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

I am planning to take the exam in few days and i am having the below doubts in my mind for long time, please clarify them,


1. If a method of the Bean is not included in the <method-permission> element and it is not marked as <unchecked/>, means that method should not be accessed by any one?

2. Which are all the methods should be included in <method-permissions> or <unchecked/> sections? ( It is clear for transactions which are all should included and which are all should not include)

3. If a role is not mentioned in the <security-role> element. Then, Can this role access the methods declared as <unchecked/>?

4. If a bean is using <cmr-field>, Is these should declare in <ejb-ref> section or not?

5. In statefull session beans - in setSessionContext() method - Why couldn't i get the client information? - because, in this method, container knows from whom(client) it is creating the bean.

6. In stateleass session beans - in ejbCreate() method, How can i get the reference to EJBObject? because EJBObject is created when the client calls the create method and ejbCreate() is called when the container wants make the bean and keep into pool.

Thanks in Advance,
 
Author & Gold Digger
Posts: 7617
6
IntelliJ IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
1. If a method of the Bean is not included in the <method-permission> element and it is not marked as <unchecked/>, means that method should not be accessed by any one?

Section 21.3.2 of the EJB 2.0 specification:


It is possible that some methods are not assigned to any security roles nor contained in the exclude-list element. In this case, it is the responsibility of the Deployer to assign method permissions for all of the unspecified methods, either by assigning them to security roles, or by marking them as unchecked.



2. Which are all the methods should be included in <method-permissions> or <unchecked/> sections? ( It is clear for transactions which are all should included and which are all should not include)

Section 21.3.2 of the EJB 2.0 specification:


Method permissions are defined in the deployment descriptor as a binary relation from the set of security roles to the set of methods of the home and component interfaces of session and entity beans, including all their superinterfaces (including the methods of the EJBHome and EJBObject interfaces and/or EJBLocalHome and EJBLocalObject interfaces). The method permissions relation includes the pair (R, M) if and only if the security role R is allowed to invoke the method M.



3. If a role is not mentioned in the <security-role> element. Then, Can this role access the methods declared as <unchecked/>?

When you declare some methods unchecked you do not specify any role name.

Section 21.3.2 of the EJB 2.0 specification:


The Application Assembler uses the unchecked element instead of a role name in the method-permission element to indicate that a method should not be checked for authorization.



4. If a bean is using <cmr-field>, Is these should declare in <ejb-ref> section or not?

The <cmr-field> element is used in the <ejb-relationship-role> element in the <relationships> section of the deployment descriptor.

5. In statefull session beans - in setSessionContext() method - Why couldn't i get the client information? - because, in this method, container knows from whom(client) it is creating the bean.

When setSessionContext is invoked, the session bean has not yet been created, that is ejbCreate() has not yet been called on the session bean instance. Why would the session bean need client information if it has not yet been brought to life?

6. In stateleass session beans - in ejbCreate() method, How can i get the reference to EJBObject? because EJBObject is created when the client calls the create method and ejbCreate() is called when the container wants make the bean and keep into pool.

In ejbCreate() you can freely invoke getEJB(Local)Object on the session context that has just been set.

Hope this helps
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic