[jboss-dev-forums] [Design of JBoss jBPM] - Re: commands & EJB 3
tom.baeyens@jboss.com
do-not-reply at jboss.com
Sun Feb 18 05:18:29 EST 2007
"tom.baeyens at jboss.com" wrote :
| the idea is that in the jbpm code, we should just check for jbpm type of permissions. e.g. org.jbpm.permission.TokenPermission or org.jbpm.permission.TaskPermission (to be created).
|
in your application this should be CommandPermission or something like that. you could put the command inside of the CommandPermission.
but still there is something that needs to be cleared out first. how authentication is passed into authorization.
i see 2 different situations. in case of a webapp or a swing app, the user is already authenticated when a command is created.
in case of client server execution of commands. a client sends a command to the server for execution. in that case, there must be some client identification and credentials passed along with the command. in case of ejb, that is handled by ejb spec, i think. so the authentication context is passed allong with the method invocation over the wire. probably something similar will exist in the web service specifications in case we want to expose the command execution service via web services.
concluding, the most important is that the authentication/authorization solution that we work out should cover both scenarios: web/swing-apps and server side execution of commands send by a remote client.
regards, tom.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4018473#4018473
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4018473
More information about the jboss-dev-forums
mailing list