Hiding Entity beans from the client
Hello All,
I have some entity beans. I want only my session beans to be able to access the entity beans.
I do not want anyone outside the container to be able to obtain a reference to the entity bean.
Reason is that the entity bean should be touched only after the logic inside the session bean permits it.
If the client is able to access the entity bean directly then there is a threat of bypassing the logic inside the session bean.
regards,
Abhishek.
You can set user/roles (user/password) against entity bean methods and ensure only the session can access methods in this manner as a defined user. This is covered in "Designing the Enterprise" book, available on this site.Rgds, LB
When a client can lookup an entity bean, If the stub is not present at the client then it gets downloaded to the client.
So if the bean is visible via the JNDI and there are no roles defined, the client will get access to it.
What I wanted was that the client should be able to see the entity bean itself. The bean can further be protected by defining roles.
The J2EE blueprint talks about roles .. but does not explain the hiding of beans.
regards,
Abhishek.
>> What I wanted was that the client should be able to see the entity bean itself. The bean can further be protected by defining roles.
Sorry for the typo
what I meant was
What I wanted was that the client should be NOT able to see the entity bean itself. This bean can further be protected by defining roles.
I read up about that ... but not all app servers at this point of time support ejb 2.0. But should I really recommend an upgrade (+code change and extra licensing costs) for something as elementary as this?
I believe that what I want is easy.. it should be possible by JNDI adminstration. where I can specify the scope of the visibility of values inside the JNDI. some things should be lookupable from anywhere while others only from inside the app servers.
how ... looks like a good question at this point....but no good answers.
regards,
Abhishek.
In the long term, if you're going to stick with EJB, 2.0 is the way to go. It provides a lot of other goodies besides local interfaces.
In the shorter term, the JNDI approach sounds feasible: if a client can't access an Entity's Home, it can't access any instances, unless returned by methods of other Beans. The problem then is, how does an EntityBean implementation access the hidden Entity? Perhaps you can set up an alternate JNDI provider, strictly for use by the EJB container, that map the necessary names. Do you need to make access impossible, or just hard?
-Peris
An alternate JNDI provider for entity beans should work.
>> Do you need to make access impossible, or just hard?
From the client side, direct access to the entity bean should be impossible.
client should not be able to see entity beans in the JNDI. (though session beans and other apps inside the app server domain should be able to see them.) On top of this, entity beans should have roles defined on them. only session beans can access the entity beans in that role.
Even if the client gets a reference to the entity bean somehow, any attempt to use it should tresult in an security exception.
regards,
Abhishek.
