users@glassfish.java.net

Re: Concurrent acess to stateful sb from rich client/design question

From: <glassfish_at_javadesktop.org>
Date: Mon, 12 Nov 2007 17:11:37 PST

Witold,

I am afraid we are not talking about the same rights here. You are talking about JEE users/rights, I am talking about rights and users at application level.

More below...

> 2007/10/18, glassfish_at_javadesktop.org
> <glassfish_at_javadesktop.org>:
> > Right... ahem, not so much :) The issues we have
> with this approach are:
> > a) security - you can tweak the client and force it
> to send different ID, impersonating someone. Having
> that in server in SFSB you can send whatever ID you
> want it will still use the one you were assigned
> after login.
>
> If you can tweak the client in a way that it will act
> like someone
> else in front of JavaEE server - then you will find a
> serious bug in
> that particular JavaEE server, but I doubt you could
> do this, because
> security is one of the most important thing in JavaEE
> world and I am
> sure there are no serious JavaEE implementations that
> lack in the
> elementary security areas.

Nope, I am talking about ID that is stored in the application database, assigning him role and access to actions, limited result sets etc.

NOT JEE authentication.

>
> > b) would you give me an example how does EJB
> automatically filter results based on dynamically
> applied filters and rules based on user ID? (that is
> more sarcastic, rhetorical question just in case you
> were wondering...). I mean lets say we have a list of
> contacts. User ID 1 can see all, user ID 2 can see
> only those that have "Support" tag etc. Everything is
> dynamic, stored in database, unknown at design time.
> Now, if you show me how EJB will do that
> automatically, I will be grateful and will be keen to
> apologize for being sarcastic.
>
> Did you read at least one book about Java EE or EJB
> security?

No, just the specs and tutorial. From that I understood you can authenticate user against JEE and then grant or deny him access to individual methods.

However I do not think this is something I need as all users would have server role "user" and can execute (almost) all methods. The difference is in the resultset - as for example "manager" can see more records than "janitor".

Therefore if "janitor" somehow manages to find out database user id of "manager" and modify client to send it.. he has completely different view at data. Not desirable. Do you know what I mean?

Again, if you point me to docs how to do this I will be grateful however I really do think we mix apples and oranges here.

Best regards,
Dale
[Message sent by forum member 'dalecooper82' (dalecooper82)]

http://forums.java.net/jive/thread.jspa?messageID=245136
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.