[jboss-dev-forums] [Security Development] New message: "Re: EJB3 security - Skip authorization for @PermiAll?"
jaikiran pai
do-not-reply at jboss.com
Fri Mar 12 12:59:59 EST 2010
JBoss development,
A new message was posted in the thread "EJB3 security - Skip authorization for @PermiAll?":
http://community.jboss.org/message/531682#531682
Author : jaikiran pai
Profile : http://community.jboss.org/people/jaikiran
Message:
--------------------------------------------------------------
> mailto:anil.saldhana at jboss.com wrote:
>
> That behaves as an "unchecked" operation. Now either we can centralize all security operations in the security layer (including the @PA check) or we can add code to the integration layer (here the ejb3 interceptor) to not invoke the security layer, for performance benefit.
>
> For this particular case, it makes sense to do the latter.
While discussing this with Carlo, he brought up an interesting point related to auditing - Does skipping this authorization from the integration points (like this EJB3 code) result in any side-effects to any security auditing that might be happening through the security APIs? If yes, then maybe centralizing this kind of optimization within the security layer would be a better option.
--------------------------------------------------------------
To reply to this message visit the message page: http://community.jboss.org/message/531682#531682
More information about the jboss-dev-forums
mailing list