[jboss-dev-forums] [Design of JBoss jBPM] - Re: commands & EJB 3

"camunda" wrote : First of all: There is no EJB 3 SessionBean available, right? And because the Java 1.4 compability is still required we only can build a EJB 3 SessionBean in our own toolkit for jBPM, not the jbpm core, right? | no. you could include them into the jbpm sources. you just have to be very carefull not to introduce dependencies to java 5 in the current codebase. best way to do that is to make sure that the ejb3 part is in a separate source directory. probably in a separate sub project project. maybe an ejb3 subproject, right underneith the jbpm.3 root ? what do you think. if you can give that the same layout/build structure as the other subprojects (e.g. by starting from a copy of the enterprise project), you can just go ahead and try that. you can't do any harm by trying in a separate project ;-) "camunda" wrote : Also we use JAAS to autheticate users (to have different groups for deploying processes, signalling, cancelling, ...). We have annotated this in our EJB 3 Bean (e.g. @RolesAllowed( {"jbpm-admin-write"}) ). How can we do that with the commands? | with commands, you definitely cannot use the annotations based security. i think you could do it with JACC based authorization checks. i'll have to give that a second look if that would work out. "camunda" wrote : | One really generic and easy solution which came into my mind, is just to have the Command-Class-names as roles in JAAS (ok, not so nice for the administration) and then check, if the JAAS user is in the role in the SessionBean, so the JAAS-Logic is only in the SessionBean, nowhere else. | i think we should try to see of we can embed the JACC based authorization inside of the commands. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4011999#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...