[Security Development] New message: "Re: EJB3 security - Skip authorization for @PermiAll?" - jboss-dev-forums

Friday, 12 March 2010

JBoss development,

A new message was posted in the thread "EJB3 security - Skip authorization for
@PermiAll?":

http://community.jboss.org/message/531682#531682

Author  : jaikiran pai
Profile : http://community.jboss.org/people/jaikiran

Message:
--------------------------------------------------------------
...
 mailto:anil.saldhana@jboss.com wrote:

 That behaves as an "unchecked" operation. Now either we can centralize all
security operations in the security layer (including the @PA check) or we can add code to
the integration layer (here the ejb3 interceptor) to not invoke the security layer, for
performance benefit.

 For this particular case, it makes sense to do the latter. While discussing this
with Carlo, he brought up an interesting point related to auditing - Does skipping this
authorization from the integration points (like this EJB3 code) result in any side-effects
to any security auditing that might be happening through the security APIs? If yes, then
maybe centralizing this kind of optimization within the security layer would be a better
option.

--------------------------------------------------------------

To reply to this message visit the message page:
http://community.jboss.org/message/531682#531682

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

[Security Development] New message: "Re: EJB3 security - Skip authorization for @PermiAll?"