Method-level ACLs

Similar Messages

• How to implement method level authorisation in JSF

  Hi all,
  I am new to JSF 2. I have been able to implement authorization on my web pages, but I also want to implement it at the bean level. Does JSF 2 provide an in-built functionality to implement role-based authorization on bean methods? Or, I need to use some security frameworks (i.e. ACEGI)?
  Thanks in advance,
  Neeraj

  I am curious: can you explain WHY you want method level security? It seems woefully overkill and paranoid to me - server level security should be enough to keep out rogue code.
  Anyway for that level of security, the security measures built into the JVM should be used.
  [Java Security documentation|http://java.sun.com/javase/technologies/security/]
  You can also look into a security API like Spring security - be warned though, it has a steep learning curve.

• Method-level Locking

  (Here's another one):
  I'm unable to find a way to enable method-level locking in WebLogic.
  This kind of lock has the same semantics as a simple "synchronized" on the
  method level (which you cannot write as a bean developer). The advantage is
  that you've got thread-safe access to a method without expensively
  interfering with the transaction manager.
  So is this possible in WLS v6.1/v7.0?
  Regards,
  Pieter Van Gorp.

  I assume you are talking about entity beans. You can use the "Exclusive"
  concurrency strategy. Here is the link:
  http://e-docs.bea.com/wls/docs61/ejb/reference.html#1139340
  "Pieter Van Gorp" <[email protected]> wrote in message
  news:[email protected]..
  (Here's another one):
  I'm unable to find a way to enable method-level locking in WebLogic.
  This kind of lock has the same semantics as a simple "synchronized" on the
  method level (which you cannot write as a bean developer). The advantageis
  that you've got thread-safe access to a method without expensively
  interfering with the transaction manager.
  So is this possible in WLS v6.1/v7.0?
  Regards,
  Pieter Van Gorp.

• "method level" serializable ServerSockets

  i don't understand why this code block can be serialized:
  public class Foo extends Thread implements Serializable {
    public void run() {
      ServerSocket servSok = new ServerSocket(9876);
      Socket sok = servSok.accept();
  }compare with this code block. as expected it cannot serialize (unless transient is used):
  exception code = " +NotSerializableException: java.net.ServerSocket+ "
  public class Foo extends Thread implements Serializable {
    private ServerSocket servSok = null;  // <-- add "transient" and ok.
    public void run() {
      this.servSok = new ServerSocket(9876);
      Socket sok = servSok.accept();
  note: both are live, running, threads when serialized.
  one is an instance level object, the other a method level. but i cannot take my understanding
  beyond that. can someone talk me through what is going on?
  both are bound ServerSockets . neither can pop-up, after de-serialization, bound to a port
  on a remote jvm.

  pdFrog wrote:
  Your misunderstanding is that methods do not get serializedok. i did not know that.
  i think this is why we need the class loaders.Mneh, in a roundabout way, but probably not the way you're thinking. Technically speaking, methods are already serialized, in that their bytecode exists as a stream. But if you're trying to serialize code, not just data, you've probably misunderstood why we serialize. In particular, serializing a Socket connection of any kind is a bit pointless.

• JDeveloper 11 ignores @SuppressWarnings at method level

  Seems that this only works at class level.
  If you add it at a method level, JDev simply ignores it and continues to display warnings.
  Has anyone found how to get it to work?

  Hi,
  This is the code:
  <snip>
  @SuppressWarnings("unchecked")
  public List<T> findAll(final int... rowStartIdxAndCount)
  return commonPersistence.findAll(getClassName(), rowStartIdxAndCount);
  <snip>
  If I add this annotation to the line just before declaration of the class, it actually works, but becomes reasonably useless as I don't see any other warnings for the class.
  Thanks
  Jonny

• Generics at method level

  As we all know, in Java5.0, Sun introduced Generics. Now I used this at class level and at field method. However I tried using them at method level, but could not succeced.
  I did a search on the internet and I found a very good article about generics. The url is the following: http://www-128.ibm.com/developerworks/java/library/j-djc02113.html
  Scrolling to the bottom, I found out what I needed. the example on that website shows the following:class Utilities {
     <T extends Object> public static List<T> make(T first) {
       return new List<T>(first);
  }However I tried to do this code in a method inside my project, but did not work at all.
  Does any one know how I can do generics at method level. What I want to achieve is that you pass the class type you want to be returned as a generic at the method level.
  regards,
  sim085

  Please before you check my code, check the example that there is in the article, that is the code I posted in my first post. I based all this on the information I read from the website, and since the source looks very reliable,, there is no need for me to doubt that it works!
  I did a simple example, I am just using generics to get used to them ... Here comes the exampleimport java.util.*;
  public class Test{
       private List<String> myList;
       public Test(){
            myList = new ArrayList<String>();
            <List>normalMethod();
       <T>public T normalMethod(){
            return null;
       <T>public static void staticMethod(){
       public static void main(String... args){
            <List>staticMethod();
            new Test();
  }The exception throws is an exception you would see when the syntax is incorrect. However I do have Java5.0 and if you delete the methods and the method calls, but you leave the generics at the field level , the code would compile.
  The exception throws are the following:C:\Documents and Settings\saquilina\My Documents\Test.java:21: illegal start of type
       <T>public static void staticMethod(){
             ^
  C:\Documents and Settings\saquilina\My Documents\Test.java:32: <identifier> expected
  }Now since in the example in that website they use a static method, I tried it also with a static method, but it did not work all the same :(
  regards,
  sim085

• JAAS method level authorisation

  Hi
  Is it possible to do method level authorisation in java.
  I was under the impression you grant permission at the class level. Can you please inform as to
  how we can grant permissions at method level.
  example :
  class A {
  method1();
  method2();
  can I grant permissions to A.method1() to execute, without having to create an actions class
  with run implemented as required , that is :
  class actionMethod1() implements PrivilegedAction {
  run(){
  A.method1();
  because then I will have to create too many action classes !

  Hi, try this:
  Within method 1 of Class A, do a permission check at the beginning of the method.
  Class A {
  1. public void method1() {
  2. SecurityManger sm = System.getSecurityManager();
  3. if(sm!= null ) {
  4. sm.checkPermission( new XXXPermission() );
  5. }
  6. }
  where XXXPermission is the type of permission that your checking for. If the current thread doesn't have this (XXXPermission) permission, then a SecurityException will be thrown and the rest of the method will not be executed. Alternatively, I believe that the above code (line 2-4) can be replaced with :
  1. AccessController.checkPermission(new XXXPermission());
  I hope this helps. You can also try referring to: http://java.sun.com/j2se/1.4/docs/api/java/security/AccessController.html
  >
  Hi
  Is it possible to do method level authorisation in
  java.
  I was under the impression you grant permission at the
  class level. Can you please inform as to
  how we can grant permissions at method level.
  example :
  class A {
  method1();
  method2();
  can I grant permissions to A.method1() to execute,
  without having to create an actions class
  with run implemented as required , that is :
  class actionMethod1() implements PrivilegedAction {
  run(){
  A.method1();
  because then I will have to create too many action
  classes !

• Throtting or Work Managers - OSB @ method level

  Would it be possible to throttle a BS or set a work manager for the PS at the WSDL operation level?

  Work-manager setup and throttling are two different concepts. Throttling is used to restrict the message flow to a business service however work managers are used to prioritize service work. Remember that in case of throttling there is possibility of message loss however with work manager setup there is no such possibility.
  To give an example, suppose you are routing PO ACK's to target system. Given that, latest PO ACK is sufficient to provide the status of PO, it is not mandatory to deliver all the PO ACKs to the target system. So if I have to restrict the flow to target system here, I will use throttling.
  If there are two type of messages being processed in your OSB, suppose PO and PO ACK, you will always prefer that PO gets processed on priority and PO ACK processing must not affect the PO processing. Hence here I will use work-manager to prioritize the processing of PO.
  Regards,
  Anuj

• Transaction Isolation Level for EJB methods

  L.S.
  I just found out the in OC4J one can not set the transaction isolation level on ejb methods. Moreover one needs to revert to bean managed transaction (manual coding of the ALL transaction logic) to set the isolation level.
  On entity beans one can only set the isolation level for the whole bean (not on individual methods), and in session beans there is no way at all to set the isolation level.
  This is on shear contract to all other application servers I used before (there one can declaratively set the isolation level for a ejb method, both in session and in entitybean deployment descriptors)
  Is it foreseen in a future release to include such a valuable feature will be provided by oc4j?
  Note that I was VERY surprised that OC4J could not handle this (I checked the j2ee spec, but admittedly the spec is a little vague about this support and makes it vendor dependent. the j2ee spec does not mandate this, except for CMP entity beans, but includes some suggestions on this ability. But most other application servers implemented the ability)
  Regadrs,
  Erik

  Hello Erik --
  I think we met in Perth recently?
  Anyway, your information is correct.
  We can set the transaction isolation level for each entity bean, at the bean level. We don't have for the specification of method level isolation settings -- I'd be interested to hear how you would like/do use this. What behaviour do you expect to see when a transaction is started that spans multiple methods on a bean with different declared isolation levels.
  For session beans, we do not currently have the ability to declaratively specify the isolation level to use for the bean. I know this is not in the forthcoming 904 release, and will to check what is beyond that.
  As you point out, this can be done programatically using the Connection.setIsolationLevel() method on any connections you are using from within the session bean.
  I'd would like to log an enhancement request for you for this functionality. Can you send me an email at [email protected] and we'll take it offline.
  -steve-

• ACL found but not expected.................

  I powered up my iMac (intel) and I got a blank white screen - up until this point it would be up and running in a second or two so this was a shock. I forced a shut down and had to restart a couple of times before I got a white screen with the apple and then it started up. I repaired permissions thinking it might need it (don't know why - nothing had changed that I know of) but I got this mess:
  ACL found but not expected on "System/Library/User Template/English.lproj/Sites".
  Warning: SUID file "System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAg ent" has been modified and will not be repaired.
  ACL found but not expected on "System/Library/User Template/English.lproj/Desktop".
  ACL found but not expected on "System/Library/User Template/English.lproj/Documents".
  ACL found but not expected on "System/Library/User Template/English.lproj/Downloads".
  ACL found but not expected on "System/Library/User Template/English.lproj/Library/Application Support".
  ACL found but not expected on "System/Library/User Template/English.lproj/Library/Assistants".
  ACL found but not expected on "System/Library/User Template/English.lproj/Library/Audio/MIDI Drivers".
  ACL found but not expected on "System/Library/User Template/English.lproj/Library/Audio/Plug-Ins/Components".
  ACL found but not expected on "System/Library/User Template/English.lproj/Library/Audio/Plug-Ins/Digidesign".
  ACL found but not expected on "System/Library/User Template/English.lproj/Library/Audio/Plug-Ins/VST".
  ACL found but not expected on "System/Library/User Template/English.lproj/Library/Audio/Plug-Ins".
  ACL found but not expected on "System/Library/User Template/English.lproj/Library/Audio/Sounds/Alerts".
  ACL found but not expected on "System/Library/User Template/English.lproj/Library/Audio/Sounds/Banks".
  ACL found but not expected on "System/Library/User Template/English.lproj/Library/Audio/Sounds".
  ACL found but not expected on "System/Library/User Template/English.lproj/Library/Audio".
  ACL found but not expected on "System/Library/User Template/English.lproj/Library/ColorPickers".
  ACL found but not expected on "System/Library/User Template/English.lproj/Library/Compositions".
  ACL found but not expected on "System/Library/User Template/English.lproj/Library/Favorites".
  ACL found but not expected on "System/Library/User Template/English.lproj/Library/FontCollections".
  ACL found but not expected on "System/Library/User Template/English.lproj/Library/Fonts".
  ACL found but not expected on "System/Library/User Template/English.lproj/Library/iMovie/Plug-ins".
  ACL found but not expected on "System/Library/User Template/English.lproj/Library/iMovie/Sound Effects".
  ACL found but not expected on "System/Library/User Template/English.lproj/Library/iMovie".
  ACL found but not expected on "System/Library/User Template/English.lproj/Library/Input Methods".
  ACL found but not expected on "System/Library/User Template/English.lproj/Library/Internet Plug-Ins".
  ACL found but not expected on "System/Library/User Template/English.lproj/Library/Keyboard Layouts".
  ACL found but not expected on "System/Library/User Template/English.lproj/Library/Preferences".
  ACL found but not expected on "System/Library/User Template/English.lproj/Library/Printers".
  ACL found but not expected on "System/Library/User Template/English.lproj/Library/Screen Savers".
  ACL found but not expected on "System/Library/User Template/English.lproj/Library/Sounds".
  ACL found but not expected on "System/Library/User Template/English.lproj/Library/Voices".
  ACL found but not expected on "System/Library/User Template/English.lproj/Library".
  ACL found but not expected on "System/Library/User Template/English.lproj/Movies".
  ACL found but not expected on "System/Library/User Template/English.lproj/Music".
  ACL found but not expected on "System/Library/User Template/English.lproj/Pictures".
  ACL found but not expected on "System/Library/User Template/English.lproj/Public".
  ACL found but not expected on "Library".
  ACL found but not expected on "Applications/Utilities".
  ACL found but not expected on "Applications".
  Is this a sign of something fishy? Or not?

  It is normal for Leopard according to the guys at the Genius Bar. According to them, in disk utilities, once you run verify and then repair, everything is fine and dandy, no matter what is left written. You can run this command in the terminal and then run disk utilities and it does remove most of the lines that you see.
  :sudo chmod -R 755 /System/Library/Extensions && sudo chown -R root:wheel /System/Library/Extensions
  You must have administrative previleges to run the command. It worked for me, but not for long....

• ACL - how to (easily) deny access to everthing but home directory

  I was trying to set up a very restrictive drop box for users to leave and take files from. I set up a special USER and then thought I could use the ACL's to deny access to the system except for the home directory. From reading the documentation I tried the following
  1) at the root level I denied read/write access for USER
  2) at the home directory I allowed read/write access for USER
  and then I tried to 'remove inherited' ACLs. I can't seem to get this to work. USER is always denied. Any help appreciated

  Never mind. I figured out how to do this from the command line using chmod +a to do multiple directories at once. I still don't know why the top level ACL wouldn't propagate to the lower directories but once I did this on the /* directories everything was fine.

• How to implement Method output converion in BADI HRPAD00INFTYUI

  Hi All,
  I have to implement Output conversion method in HRPAD00INFTYUI for the requirement of adding custom field in the structure HRWPC_S_EP_COMMUNICATION. Usage is, In MSS general data service the manager should see his subordinates telephone extn number and his mobile number.
  While trying to add, system is asking for access key and one possible solution is append structure. I am confused after seeing the parameters in that BADI. Anyone please give solution for the above requirement. Please share code as well if you have.
  Thanks in Advance.
  S.Vikgnesh

  I am curious: can you explain WHY you want method level security? It seems woefully overkill and paranoid to me - server level security should be enough to keep out rogue code.
  Anyway for that level of security, the security measures built into the JVM should be used.
  [Java Security documentation|http://java.sun.com/javase/technologies/security/]
  You can also look into a security API like Spring security - be warned though, it has a steep learning curve.

• Calling Instance Method in a Global Class

  Hi All,
  Please can you tell me how to call a instance method created in a global class in different program.
  This is the code which I have written,
  data: g_cl type ref to <global class>.
  call method g_cl -> <method name>
  I am not able to create Create object <object>.
  It is throwing the error message " Instance class cannot be called outside...."
  Please can anybody help me..
  *Text deleted by moderator*
  Thanks
  Sushmitha

  Hi susmitha,
  1.
  data: g_cl type ref to <global class>.
  2.
  Create object <object>.
  3.
  call method g_cl -> <method name>.
  if still you are getting error.
  then first check that method level and visibility in se24.
  1.if  level is static you can not call it threw object.
  2. if visibility is protected or private then you can not  call it directly.
  If still you are facing same problem please paste the in this thread so that i can help you better.
  Regards.
  Punit
  Edited by: Punit Singh on Nov 3, 2008 11:54 AM

• Minimum Payment Value Setting at Vendor level?

  Hi SAP Payments Gurus,
  I know that you can set a minimum outgoing payment level in FBZP config at the compnay code and payment method level....but is it possible to place a minimum payment level on a specific vendor?
  We have vendors accounts who have many small inovices posted to them but who only want to be paid when the value in their account reached a certain value.
  Any ideas?
  Thanks!

  To my understanding there is no standard way to do this through customizing. But you can use the edit payment proposal functionality in F110 to block vendors whose proposed payment amount is below certain amount. Here you will enter the payment block reason code which is temporary, and will block the proposed invoices only for the present payment run.
  When you configure such payment block reason code, please make sure CHANGE IN PAYMT PROP. check box is ticked.
  If you don't want to use this manual approach, then you should take help of your developer who can create a user exit, which will populate the processed invoices with this payment block reason code, if the total amount for these invoices together is above certain amount for a vendor, through substitution
  Thanks
  Ron

• Real World Item Level Permission Performance?

  I am considering implementing item level permission on a list we use. I've seen all the articles online cautioning not to do this with lists of more than 1000 items, but the articles seem to have little detailed information about the actual impact and what
  causes the performance issues. Additionally, they seem to refer to document libraries more than lists. I'd like some feedback about what might occur if we were to use item level security in our situation.
  Our situation is this: list of current ~700 items in a sharepoint list. Expected to grow around 700 items per year. The list has about 75 fields on it. We have 8 active-directory groups that have access to the list, based upon company department. Each
  item in the list can apply to one or more departments. The groups represent around 100-150 different unique users.
  We would like to use item level security to be set via workflow, to enable particular groups to access the item based upon their group membership. For example, if the list item is for the HR department, then the HR group has access. If the item is for IT,
  then the IT group has access (and HR wouldn't).
  That's it. There would be no nesting of items with multiple permission levels, no use of user-level ACLs on the items, etc.
  Thoughts about this configuration and expected performance issues?  Thanks for any feedback!

  Just an update for anyone who finds this thread:
  I converted our data into a test SharePoint list with 1500 rows. I then enabled full item-level security, with restrictions to hide data not created by the person.
  I then set individual permissions for each item that included 2-3 AD groups with different permissions--contribute, full ownership, etc, and 2-3 individuals with varying permissions. The individuals represented around 50 total people.
  After the permissions were set I then did a comparison of loading individual views and the full data set in Standard and Datasheet views, for both myself as an administrator with full list access and with several of the individuals who only had access to
  their designated items--typically 75-100 of the total list.
  The results were that I found no discernable difference in system performance from the user interface level while loading list views after the item level security was configured in this way. I understand this will vary based up
  hardware configuration and exact permission configuration, but in our situation the impact of item level security on a list of 1500 items had very little, if any, negative performance impact. Note that I didn't check performance at the database server level,
  but I'm assuming the impact there was minimal since the front-end user experience was unaffected.
  I expect we'll put this solution into place and if we do I'll update this post when we have additional real-world usage information.