You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@geronimo.apache.org by rbaumhof <ra...@web.de> on 2008/07/08 13:35:25 UTC
Prevent EJB by beeing called from web interface
Hello
we have an application architecture where we use session fassades to access
the software components and at the backend a DAO pattern to access the
database. The Session fassades and also the DAO's are designed as stateless
session beans. Our security concept is realised by interceptor classes, but
we only want to secure the fassade beans. But of course also the dao's can
be called by the web interface.
My question is: Is there a way to hide the DAO's "behind" the fassades (make
them only be callable by other EJB's, but not by the web interface)??
much thanks in advance,....
--
View this message in context: http://www.nabble.com/Prevent-EJB-by-beeing-called-from-web-interface-tp18337093s134p18337093.html
Sent from the Apache Geronimo - Users mailing list archive at Nabble.com.
Re: Prevent EJB by beeing called from web interface
Posted by David Jencks <da...@yahoo.com>.
On Jul 8, 2008, at 4:35 AM, rbaumhof wrote:
>
> Hello
>
> we have an application architecture where we use session fassades to
> access
> the software components and at the backend a DAO pattern to access
> the
> database. The Session fassades and also the DAO's are designed as
> stateless
> session beans. Our security concept is realised by interceptor
> classes, but
> we only want to secure the fassade beans. But of course also the
> dao's can
> be called by the web interface.
>
> My question is: Is there a way to hide the DAO's "behind" the
> fassades (make
> them only be callable by other EJB's, but not by the web interface)??
The only thing I can think of is to (after you get container managed
ejb security working, cf your other question) use a run-as role on the
facade ejbs and only allow DAO access from that run-as role.
Maybe someone else will have another idea.
thanks
david jencks
>
>
> much thanks in advance,....
> --
> View this message in context: http://www.nabble.com/Prevent-EJB-by-beeing-called-from-web-interface-tp18337093s134p18337093.html
> Sent from the Apache Geronimo - Users mailing list archive at
> Nabble.com.
>
Re: Prevent EJB by beeing called from web interface
Posted by Jacek Laskowski <ja...@laskowski.net.pl>.
On Tue, Jul 8, 2008 at 1:35 PM, rbaumhof <ra...@web.de> wrote:
> we have an application architecture where we use session fassades to access
> the software components and at the backend a DAO pattern to access the
> database. The Session fassades and also the DAO's are designed as stateless
> session beans. Our security concept is realised by interceptor classes, but
> we only want to secure the fassade beans. But of course also the dao's can
> be called by the web interface.
>
> My question is: Is there a way to hide the DAO's "behind" the fassades (make
> them only be callable by other EJB's, but not by the web interface)??
I think securing the DAO SLSBs with @RolesAllowed would do the trick.
Your interceptors should deny access for unauthorized calls too if
they're in charge of it, but somehow you seem to indicate they don't
work as expected. Could you describe them a bit more?
Jacek
--
Jacek Laskowski
Notatnik Projektanta Java EE - http://www.JacekLaskowski.pl