Security Check in AdviceBean
Ailsa Cape
Ranch Hand
Posts: 92
posted 11 years ago
Hello everyone,
After I have read chapter 11 of the book HFEJB, I think the ejb-jar.xml file in AdviceBean which we had established in chapter1 should have declared the <method-permission> tab with a subtab <unchecked/> in it at least. For example,it should have the content like,
After I read the file, I find there is only one section defined by <enterprise-beans> tab. I know after deployed properly, the client does access the AdviceBean's business method(getAdvice()) without problem, why can a client call the bean's business method freely when it has not declared method access permission?
Thanks in advance!
Regards,
Ailsa Cape
[ June 03, 2006: Message edited by: Ailsa Cape ]
After I have read chapter 11 of the book HFEJB, I think the ejb-jar.xml file in AdviceBean which we had established in chapter1 should have declared the <method-permission> tab with a subtab <unchecked/> in it at least. For example,it should have the content like,
After I read the file, I find there is only one section defined by <enterprise-beans> tab. I know after deployed properly, the client does access the AdviceBean's business method(getAdvice()) without problem, why can a client call the bean's business method freely when it has not declared method access permission?
Thanks in advance!
Regards,
Ailsa Cape
[ June 03, 2006: Message edited by: Ailsa Cape ]
p anish
Ranch Hand
Posts: 32
posted 11 years ago
The client needs to access the bean through the remote/local interface only.
Otherwise container cannot provide the beanness to the the bean (like transaction management, steteless session pooling etc.).When we call the remote/local inteface method , the container steps in and provides all these services.
And another reason is u cannot access bean class directly from a remote client.It does not implement java.rmi.Remote interface.
Hopes this clarifies ur doubt.
Otherwise container cannot provide the beanness to the the bean (like transaction management, steteless session pooling etc.).When we call the remote/local inteface method , the container steps in and provides all these services.
And another reason is u cannot access bean class directly from a remote client.It does not implement java.rmi.Remote interface.
Hopes this clarifies ur doubt.
Ailsa Cape
Ranch Hand
Posts: 92
posted 11 years ago
Hello p,
Thank you for your reply. I think what we specified in the Deployment Descriptor's section, <method-permission>, is all the methods from client view, including the ones coming from a session or entity bean's home and component interfaces since there is a <method-intf> sub-element in this section which value can be assigned to Remote,Home etc. So I believe that a client must have the security identity to access the business methods defined in the component interface which should have been granted method permission in DD. Is that right?
Thanks in advance!
Regards,
Ailsa Cape
Thank you for your reply. I think what we specified in the Deployment Descriptor's section, <method-permission>, is all the methods from client view, including the ones coming from a session or entity bean's home and component interfaces since there is a <method-intf> sub-element in this section which value can be assigned to Remote,Home etc. So I believe that a client must have the security identity to access the business methods defined in the component interface which should have been granted method permission in DD. Is that right?
Thanks in advance!
Regards,
Ailsa Cape
