Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Bean Instance Level

 
Diego Amicabile
Greenhorn
Posts: 23
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have trouble understanding this statement (from ejbcertificate)

"declarative security does not allow you to control authorisation at the bean instance level, only at the class level. If you want to control authorisation at the bean instance level you have to use programmatic security"

This is what I understand : you cannot have different security settings for beans instantiating the same class when controlling authorisation programmatically. Do I get it right ?

Thanks
 
arunij katiliyar
Greenhorn
Posts: 26
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This is how it goes . We cannot achieve instance level declarative security .We can only achieve declarative security for a bean and not for bean instances .

If you want to achieve such instance level security it can only be achieved programmatically which implies that depending upon your need you can set different security setting for bean instantiating the same class using programmatic authorization . Hope this helped u .
 
Srini Madala
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I too have trouble understanding it. If you want to have security at instance level, use programmatic way..

For example, we have a class called "TestBean" and a method "testMethod". Let us assume that we have granted "EmployerRole" in the DD to access this mehtod. So the caller who has "EmployerRole" can access this method on any instance of the TestBean class.

Now let us assume that we need to have security at instance level.. so we put the following code in the class..

public void TestBean implements SessionBean {
public void testMethod() {
----
if (isCallerInRole("AdminRole") {
proceed...
} else {
throw exception...
}
}
}

Here how are you achieving the instance level security. How many instances of the class you instantiate, you get the same code and the same logic and is applicable to all instances...

I don't get it how it is different... Can anyone clarify it please...
 
Keerthi P
Ranch Hand
Posts: 203
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

How many instances of the class you instantiate, you get the same code and the same logic and is applicable to all instances...

Srini,
Think of 'instance-level' security as fine grained security logic that is coded based on the 'values' of instance variables (for entity and stateful session beans) or method parameters (for stateless session beans).

Here is a very trivial example:


The above is an example of instance-level security. It does not allow anyone in 'restrictedCustomer' role to have more than 10 items in shopping cart. This security policy may not apply for another instance for the same bean because its 'state' may be different. This type of fine-grained business rules based security policy is difficult to specify in an instance agnostic way.
 
Srini Madala
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Keerti!!! I got it now.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic