[jboss-dev-forums] [Security Development] New message: "Re: EJB3 security - Skip authorization for @PermiAll?"
JBoss development,
A new message was posted in the thread "EJB3 security - Skip authorization for
@PermiAll?":
http://community.jboss.org/message/531682#531682
Author : jaikiran pai
Profile : http://community.jboss.org/people/jaikiran
Message:
--------------------------------------------------------------
mailto:anil.saldhana@jboss.com wrote:
That behaves as an "unchecked" operation. Now either we can centralize all
security operations in the security layer (including the @PA check) or we can add code to
the integration layer (here the ejb3 interceptor) to not invoke the security layer, for
performance benefit.
For this particular case, it makes sense to do the latter.
While discussing this
with Carlo, he brought up an interesting point related to auditing - Does skipping this
authorization from the integration points (like this EJB3 code) result in any side-effects
to any security auditing that might be happening through the security APIs? If yes, then
maybe centralizing this kind of optimization within the security layer would be a better
option.
--------------------------------------------------------------
To reply to this message visit the message page:
http://community.jboss.org/message/531682#531682