geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: Prevent EJB by beeing called from web interface
Date Tue, 08 Jul 2008 16:08:22 GMT

On Jul 8, 2008, at 4:35 AM, rbaumhof wrote:

>
> Hello
>
> we have an application architecture where we use session fassades to  
> access
> the software components and  at the backend a DAO pattern to access  
> the
> database. The Session fassades and also the DAO's are designed as  
> stateless
> session beans. Our security concept is realised by interceptor  
> classes, but
> we only want to secure the fassade beans. But of course also the  
> dao's can
> be called by the web interface.
>
> My question is: Is there a way to hide the DAO's "behind" the  
> fassades (make
> them only be callable by other EJB's, but not by the web interface)??

The only thing I can think of is to (after you get container managed  
ejb security working, cf your other question) use a run-as role on the  
facade ejbs and only allow DAO access from that run-as role.

Maybe someone else will have another idea.

thanks
david jencks

>
>
> much thanks in advance,....
> -- 
> View this message in context: http://www.nabble.com/Prevent-EJB-by-beeing-called-from-web-interface-tp18337093s134p18337093.html
> Sent from the Apache Geronimo - Users mailing list archive at  
> Nabble.com.
>


Mime
View raw message