On Jul 8, 2008, at 4:35 AM, rbaumhof wrote:
>
> Hello
>
> we have an application architecture where we use session fassades to
> access
> the software components and at the backend a DAO pattern to access
> the
> database. The Session fassades and also the DAO's are designed as
> stateless
> session beans. Our security concept is realised by interceptor
> classes, but
> we only want to secure the fassade beans. But of course also the
> dao's can
> be called by the web interface.
>
> My question is: Is there a way to hide the DAO's "behind" the
> fassades (make
> them only be callable by other EJB's, but not by the web interface)??
The only thing I can think of is to (after you get container managed
ejb security working, cf your other question) use a run-as role on the
facade ejbs and only allow DAO access from that run-as role.
Maybe someone else will have another idea.
thanks
david jencks
>
>
> much thanks in advance,....
> --
> View this message in context: http://www.nabble.com/Prevent-EJB-by-beeing-called-from-web-interface-tp18337093s134p18337093.html
> Sent from the Apache Geronimo - Users mailing list archive at
> Nabble.com.
>
|