Business rules in security


EJB design: Business rules in security

  1. Business rules in security (2 messages)


    we are designing security for a finanial application using EJB security.

    The users need a way to restrain access to EJB methods based on business rules.

    For example there are limits to financial transcactions based on the amounts, e.g. 50K $, 100K $, and so on. If you express this with roles there need to be lots of roles, like PERMITLOAN50K, PERMITLOAN100K
    The user data would have to be stored in LDAP. It seems awkward to me to store business rules in LDAP.

    In the EJB there would be lots of calls to isUserInRole(PERMITLOAN100K). If the limits are changed, so would have to be the role-names.

    Or are there better ideas?

    Thanks for any hints,

    Threaded Messages (2)

  2. Business rules in security[ Go to top ]

    You can store it in a hash table, such that you can put in a loop, to find out the details. But if ur business logic changes very often then you can create the hash table in the start up class.

  3. Beyond roles[ Go to top ]

    You need to put business rules in code (Java classes) and call them from your EJB business methods.