All my business processes are mapped to one or more methods on session beans and each session bean has a security descriptot parameter so that I can authenticate the caller of the method.
The session bean methods generally use one or more entity beans to fulfill their business role. What I would like to do is make these entity beans private, as currently they are available through the normal JNDI lookup and a home interface.
Is it possible to tell JNDI to give access to entity beans from session beans only ?
Can JNDI be configured perhaps for password access to home interfaces ?
Is this vendor specific code ?
You can control access via the Access Control Lists provided by your container. Simply create a user say "interal" that makes the call from the session bean (Context.SECURITY_PRINCIPAL) then place him into an ACL which is then applied to the EntityBean.
This is all handled logically in your bean then mapped to a vendor specific implementation in the specific container.
See EJB 1.1 and J2EE specs for details.
Internet Applications Division
How does the session reset the principle to "internal" before calling the entity ?