2007/10/18, glassfish_at_javadesktop.org <glassfish_at_javadesktop.org>:
> Right... ahem, not so much :) The issues we have with this approach are:
> a) security - you can tweak the client and force it to send different ID, impersonating someone. Having that in server in SFSB you can send whatever ID you want it will still use the one you were assigned after login.
If you can tweak the client in a way that it will act like someone
else in front of JavaEE server - then you will find a serious bug in
that particular JavaEE server, but I doubt you could do this, because
security is one of the most important thing in JavaEE world and I am
sure there are no serious JavaEE implementations that lack in the
elementary security areas.
> b) would you give me an example how does EJB automatically filter results based on dynamically applied filters and rules based on user ID? (that is more sarcastic, rhetorical question just in case you were wondering...). I mean lets say we have a list of contacts. User ID 1 can see all, user ID 2 can see only those that have "Support" tag etc. Everything is dynamic, stored in database, unknown at design time. Now, if you show me how EJB will do that automatically, I will be grateful and will be keen to apologize for being sarcastic.
Did you read at least one book about Java EE or EJB security? I really
do not understand your comment about that question being sarcastic as
there are many ways to accomplish your goal and answer that (as you
called it "rhetorical") question.
Tell me if you disagree.
Regards,
Witold Szczerba