This week's book giveaway is in the Agile and Other Processes forum.
We're giving away four copies of The Little Book of Impediments (e-book only) and have Tom Perry on-line!
See this thread for details.
Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Security Check in AdviceBean

 
Ailsa Cape
Ranch Hand
Posts: 92
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello everyone,

After I have read chapter 11 of the book HFEJB, I think the ejb-jar.xml file in AdviceBean which we had established in chapter1 should have declared the <method-permission> tab with a subtab <unchecked/> in it at least. For example,it should have the content like,

After I read the file, I find there is only one section defined by <enterprise-beans> tab. I know after deployed properly, the client does access the AdviceBean's business method(getAdvice()) without problem, why can a client call the bean's business method freely when it has not declared method access permission?

Thanks in advance!
Regards,
Ailsa Cape
[ June 03, 2006: Message edited by: Ailsa Cape ]
 
p anish
Ranch Hand
Posts: 32
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The client needs to access the bean through the remote/local interface only.
Otherwise container cannot provide the beanness to the the bean (like transaction management, steteless session pooling etc.).When we call the remote/local inteface method , the container steps in and provides all these services.
And another reason is u cannot access bean class directly from a remote client.It does not implement java.rmi.Remote interface.

Hopes this clarifies ur doubt.
 
Ailsa Cape
Ranch Hand
Posts: 92
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello p,

Thank you for your reply. I think what we specified in the Deployment Descriptor's section, <method-permission>, is all the methods from client view, including the ones coming from a session or entity bean's home and component interfaces since there is a <method-intf> sub-element in this section which value can be assigned to Remote,Home etc. So I believe that a client must have the security identity to access the business methods defined in the component interface which should have been granted method permission in DD. Is that right?

Thanks in advance!
Regards,
Ailsa Cape
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic