geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <>
Subject Re: Prevent EJB by beeing called from web interface
Date Tue, 08 Jul 2008 16:08:22 GMT

On Jul 8, 2008, at 4:35 AM, rbaumhof wrote:

> Hello
> we have an application architecture where we use session fassades to  
> access
> the software components and  at the backend a DAO pattern to access  
> the
> database. The Session fassades and also the DAO's are designed as  
> stateless
> session beans. Our security concept is realised by interceptor  
> classes, but
> we only want to secure the fassade beans. But of course also the  
> dao's can
> be called by the web interface.
> My question is: Is there a way to hide the DAO's "behind" the  
> fassades (make
> them only be callable by other EJB's, but not by the web interface)??

The only thing I can think of is to (after you get container managed  
ejb security working, cf your other question) use a run-as role on the  
facade ejbs and only allow DAO access from that run-as role.

Maybe someone else will have another idea.

david jencks

> much thanks in advance,....
> -- 
> View this message in context:
> Sent from the Apache Geronimo - Users mailing list archive at  

View raw message