geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacek Laskowski" <ja...@laskowski.net.pl>
Subject Re: Prevent EJB by beeing called from web interface
Date Fri, 11 Jul 2008 22:16:39 GMT
On Tue, Jul 8, 2008 at 1:35 PM, rbaumhof <ralf.baumhof@web.de> wrote:

> we have an application architecture where we use session fassades to access
> the software components and  at the backend a DAO pattern to access the
> database. The Session fassades and also the DAO's are designed as stateless
> session beans. Our security concept is realised by interceptor classes, but
> we only want to secure the fassade beans. But of course also the dao's can
> be called by the web interface.
>
> My question is: Is there a way to hide the DAO's "behind" the fassades (make
> them only be callable by other EJB's, but not by the web interface)??

I think securing the DAO SLSBs with @RolesAllowed would do the trick.
Your interceptors should deny access for unauthorized calls too if
they're in charge of it, but somehow you seem to indicate they don't
work as expected. Could you describe them a bit more?

Jacek

-- 
Jacek Laskowski
Notatnik Projektanta Java EE - http://www.JacekLaskowski.pl

Mime
View raw message