users@glassfish.java.net

Re: RE: Principal to Role Mapping

From: <glassfish_at_javadesktop.org>
Date: Thu, 21 Aug 2008 23:25:43 PDT

> custom object/permissions DB/DS

i also thiink about that - something like a permission map for each user group on application scope.
To restrict user change user group in session object and for authenticated additional in database.
This would work at once and avoids database connection on every request.

But its not possible to get an session by id.
Dont know why, but HttpSessionContext.getSession(String sessionId) is depcrated with no replacement.



Think it would be better to improve the standard SUN concept, because:
- any admin (customer), who changes permissions/usergroup of an user to restrict,
whould be very astonished, when this current user still could execute the not permitted functions
- one of my applications is public, therefore its neccessary to restrict also not authenticated users
[Message sent by forum member 'hammoud' (hammoud)]

http://forums.java.net/jive/thread.jspa?messageID=294719