Announcement Announcement Module
No announcement yet.
Securing methods Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Securing methods

    I'm thinking about securing some methods in my application. I know that I can use acegi to block access to some objects for certain user roles. But I've noticed that I need something else. For example user can only see his friends profile, which is returned by showProfile(userId,targetId). I can restrict access to this method for ROLE_USER, but is it possible to intercept this, and if ids are not correct block them using AOP? How can I do this?

  • #2
    I don't have a lot of experience with AOP actually, Im just starting out myself, but I'd say: Intercept the method using around advice; check the userId whichever way you like; if it's correct do invoke.proceed(); if it's incorrect throw an exception and dont let it continue.

    Another possiblity is setting and extra boolean flag in the function, which indicates if the function should be executed. But I think this isn't the kind of option you would wanna implement as you'll actually link the interceptor architecture to your software.

    In any case, just my 2 cents.