• Post Reply Bookmark Topic Watch Topic
  • New Topic

EJB Security

 
Malli Raman
Ranch Hand
Posts: 312
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I want to know how to provide a security for EJB in the given case study. A Customer can able to access his own details only and at the same time another customer can able to access his own details as well as selected group details. Whether we have to define two roles for this purpose.

Assume that Java Ranch Site. There are around more than 100 Java Ranchers are there and 10 Group Moderators are there. Say for accessing my details should I have role say for example 'RamanUser' Role and for moderators to access their group details whether they should have to create 'EJBGroup'/'ServletGroup' user roles. If that the case then whether we have to create as many number of roles as the no of the javaranchers in the application server!!!. And how the users are authenticated in the case?

And how the appservers knows that this user be called?(Whether they are using pricipal object method? if so it has mentioned in the HEAD FIRST EJB book that Prinipal name and Login name may be different in some cases. In that case how the container identifies the user?

Thanks & Regards,
M.S.Raman
 
Slava Imeshev
Greenhorn
Posts: 23
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
EJB security gives you network level security that make sence when users with given credentials are accessing EJB directly. The security logic you are talking about is more of an application logic/UI level security. Propagating it down to EJB method level is a) an overkill b) doesn't make sense. It should be handled where it's used - on app/UI level.
 
Malli Raman
Ranch Hand
Posts: 312
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Slava Imeshev:
EJB security gives you network level security that make sence when users with given credentials are accessing EJB directly. The security logic you are talking about is more of an application logic/UI level security. Propagating it down to EJB method level is a) an overkill b) doesn't make sense. It should be handled where it's used - on app/UI level.


Thanks Slava.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!