Hi,
we are designing security for a finanial application using EJB security.
The users need a way to restrain access to EJB methods based on business rules.
For example there are limits to financial transcactions based on the amounts, e.g. 50K $, 100K $, and so on. If you express this with roles there need to be lots of roles, like PERMITLOAN50K, PERMITLOAN100K
The user data would have to be stored in LDAP. It seems awkward to me to store business rules in LDAP.
In the EJB there would be lots of calls to isUserInRole(PERMITLOAN100K). If the limits are changed, so would have to be the role-names.
Or are there better ideas?
Thanks for any hints,
Jürgen
-
Business rules in security (2 messages)
- Posted by: Juergen Weber
- Posted on: May 07 2003 09:59 EDT
Threaded Messages (2)
- Business rules in security by mohamed rafi on May 08 2003 02:07 EDT
- Beyond roles by Andrew Fu on May 12 2003 11:57 EDT
-
Business rules in security[ Go to top ]
- Posted by: mohamed rafi
- Posted on: May 08 2003 02:07 EDT
- in response to Juergen Weber
Hi,
You can store it in a hash table, such that you can put in a loop, to find out the details. But if ur business logic changes very often then you can create the hash table in the start up class.
Cheers
Rafi -
Beyond roles[ Go to top ]
- Posted by: Andrew Fu
- Posted on: May 12 2003 11:57 EDT
- in response to Juergen Weber
You need to put business rules in code (Java classes) and call them from your EJB business methods.