Security Check in AdviceBean

Hello everyone,

After I have read chapter 11 of the book HFEJB, I think the ejb-jar.xml file in AdviceBean which we had established in chapter1 should have declared the <method-permission> tab with a subtab <unchecked/> in it at least. For example,it should have the content like,
<assembly-descriptor> ... <method-permission> [B]<unchecked/>[/B] <method> <ejb-name> AdviceBean </ejb-name> <method-name> [B]*[/B] <method-name> </method> </method-permission> ... </assembly-descriptor>
After I read the file, I find there is only one section defined by <enterprise-beans> tab. I know after deployed properly, the client does access the AdviceBean's business method(getAdvice()) without problem, why can a client call the bean's business method freely when it has not declared method access permission?

Thanks in advance!
Regards,
Ailsa Cape
[ June 03, 2006: Message edited by: Ailsa Cape ]

The client needs to access the bean through the remote/local interface only.
Otherwise container cannot provide the beanness to the the bean (like transaction management, steteless session pooling etc.).When we call the remote/local inteface method , the container steps in and provides all these services.
And another reason is u cannot access bean class directly from a remote client.It does not implement java.rmi.Remote interface.

Hopes this clarifies ur doubt.

Hello p,

Thank you for your reply. I think what we specified in the Deployment Descriptor's section, <method-permission>, is all the methods from client view, including the ones coming from a session or entity bean's home and component interfaces since there is a <method-intf> sub-element in this section which value can be assigned to Remote,Home etc. So I believe that a client must have the security identity to access the business methods defined in the component interface which should have been granted method permission in DD. Is that right?

Thanks in advance!
Regards,
Ailsa Cape