User-specific security restrictions
1 posts in topic
Flat View  Flat View
TOPIC ACTIONS:
 

Posted By:   Michael_Prescott
Posted On:   Saturday, December 8, 2001 09:56 AM

It seems that the EJB security structure can't model situations where a principal can call a method on some entity beans of a given type, but not on others.



For example, normal users of an application need to be able to update their own user information, but should be forbidden from modifying others'.



Does EJB's security model address this?

Re: User-specific security restrictions

Posted By:   Bozidar_Dangubic  
Posted On:   Monday, December 10, 2001 10:56 AM

well, you assign security roles to groups and not users and therefore you cannot do what you are doing directly in the way you are thinking. but you have to change your thinking. in order to do what you are trying to do, you should not access entity beans directly but through a session facade. I mean, you can access it directly but I will give you a solution that better works if you have a session facade for the entity bean. create a session bean which purpose is to update user information. have its create method take Customer or User object as a parameter so that there is no way to create session bean without the Customer or User object. that way, session facade has a simple interface getUserInformation(), for instance, without passing any parameters since internally session bean knows who the user is (you passed it to the create() method). an interface would also contain something like updateUserInformation(UserDetails ud) and again session bean takes care of the fact which user information is updateed. with a scheme like this, a user can always update his/her own information and no one else's. so with a careful design you can accomplish your requirements.
About | Sitemap | Contact