Originally posted by cheenu Dev:
once you use programmatic security you are locking the bean developer( in EJB )to be tight with operational environment which should not be the case.bean developer should not be thinking about where his beans end up.so how could he say a role named "admin" has acces to it.in an operational environment admin would be something else meant to.
and also main thing when you use programmatic security your program reuse is locked down.also it doesnt support much component development logic.
I don't see where the operational environment comes into play, why the developer needs to consider where the code is running, or what this has to do with component development.
To give a simple example of what I mean by programmatic security, let's say there are two user groups called "foo" and "bar". Both are allowed to retrieve records of type "baz", but which ones they are allowed to see depends on which group they belong to. This is a very common situation.
Using declarative security we can restrict foo users to calling the "getAllBazForFoo" method, while bar users are restricted to "getAllBazForBar". So far, so good. But we still need to have code somewhere that distinguishes between both groups, something like:
As an alternative, we might just as well not use declarative security, and keep this code inside a "getAllBaz" method where the distinction is made.
This kind of logic will be part of the code; the only unknown is, who is part of which role - that is up to the container to determine. It could even break down onto the user level, which makes the container-provided authorization control unusable, because we do not want to declare a role for each user.