In chapter 8 of "Hibernate In Action" I see recommendations to use Command design pattern.

I like this approach, because ... (read the book:), but how to use EJB container declarative security with this design. If you have only one Session Facade Bean to handle all commands how to limit some roles to handle some commands? Is there some solution?

--
Thanks,
Leonid

Not really, unfortunately :-(

Wait for EJB3....

Thanks, will be wating...

Well, if you are on JBoss or WebLogic, there are interceptors today, they are just not standardized...

..are anyone using J2EE's very unnecessary complex, rigid and static security model for anything usefull these days ?

Not a prank, but a real question!

Interceptor stuff is very trivial and there is no problems to use it in on server or on client side http://voruta.sourceforge.net/xref/samples/ejb/

It looks like command design patern, but command is a java method information. You do not need more than one session bean in any application, this design was recommented by Microsoft and I have used it for DCOM in the past.

Yes I used J2EE "static" security in my previous project, it is very usefull when you don't need or have no time to implement your own "dynamic" security, but the number of session facade beans were growing with the number of roles (AdminFacadeBean, ManagerFacadeBean, ....). But if you use DAO and some kind of common middleware controllers used by your session facade beans everything is not so bad :).

--
Leonid

"AdminFacadeBean, ManagerFacadeBean" stuff is more "static" than declarative security. As I understand "dynamic" means "depends on method paramater value".

This declarative stuff is very trivial to imolement and to customize in interceptor or in decorator.

I said if you don't need "dynamic" security or you don't have time to implement it, J2EE declarative security is the best solution. When I say "dynamic security", I mean dynamic roles, roles that could be added or deleted without editing J2EE descriptors.

--
Leonid