|
Exploiting J2SE Security (2/4)
- Example: Role as principals :
- Mapping of principal to "role principals" happens
in the JAAS login module
- isCallerInRole() looks for the appropriate EJB
role principal in the in the current thread
- Typically, does the current caller have
permission for this method?
- Method dispatch authorization tests check, via
checkPermission(), the corresponding
MethodPermission
- JAAS-like Syntax:
- grant MethodPermission(ejb.account.withdraw) to
RolePrincipal(customer)
- grant MethodPermission(ejb.loan.borrow) to
RolePrincipal(customer)
|