Chapter 7 Security


321


Let's consider a Web service with an interface containing multiple methods,


such as the one shown in Code Example 7.9, where you want different access pol 


icies for each method. For a service endpoint interface such as this you might


want to permit the following: Any client can browse the catalog of items available


for sale, only authorized customers for example, those clients who have set up


accounts can place orders, and only administrators can alter the catalog data. If


you implement the service with a Web tier endpoint, then each method has the


same protection because access control is the same for all methods that are bound


to the port at the endpoint's URL. To handle a service with an interface containing


multiple methods and different access policies, consider creating separate Web


services where each service handles a different set of authorization requirements. 


You have more flexibility if you implement the same Web service that has an


interface containing multiple methods with an EJB endpoint. By using an EJB


endpoint, you can set different authorization requirements for each method. See


the next section,  Controlling Access to Web Tier Endpoints,  and  Controlling


Access to EJB Tier Endpoints  on page 323.


public interface OrderingService extends java.rmi.Remote {


public Details getCatalogInfo(ItemType someItem) 


throws java.rmi.RemoteException;


public Details submitOrder(purchaseOrder po) 


throws java.rmi.RemoteException;


public void updateCatalog(ItemType someItem) 


throws java.rmi.RemoteException;


}


Code Example 7.9


Interface Methods Requiring Different Access Control


Keep in mind, however, that both Web and EJB tier endpoints can use pro 


grammatic APIs for finer grained security. If you are willing to write code for


access control, then both types of endpoints can be designed to handle the same


security capabilities. However, it is generally discouraged to embed security code


and use the programmatic security APIs in a component. A better approach keeps


the security policy externalized form the application code and uses the declarative


services with deployment descriptors.


E


If you require finer grained control for your access control policy, consider us 


ing an EJB endpoint, since it utilizes method level control.








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      
 

    

  

  




Our web partners:
Inexpensive 
Web Hosting 



Java Web Hosting


personal webspace


webspace php 


linux webhost
 




 html web templates




DreamweaverQuality Web Templates


PSD Web Templates
 





cheap webhost


j2ee web Hosting


buy webspace


ftp webspace


adult webspace
 





frontpage WebHosting


webspace hosting


cheap webhost


Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved



aol web hosting