Announcement Announcement Module
No announcement yet.
Field-Level Authorization Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Field-Level Authorization

    Hi everyone,

    I currently have an entity-management application, where different users have access to different fields in the entities.

    The entities are JAXB annotated and are automatically filled using an ORM framework and a JAX-RS framework upon receiving entities from clients.

    Our product requires management of permissions on the field level. This doesn't mean that each field has it's own permission, but rather several fields can have the same permission, but the same permission will not apply to all fields in the entity (and there are about a dozen entities in the system). Obviously, the two types of permissions we need read and write (where write implies read as well).

    From what I can tell, the security access checks can be invoked on the method level, but I've found no reference as to how to impose the limitations on the field level.
    I realize I can put the checks on the setters and getters in the entity, however, I'm concerned that the ORM framework or the JAXB annotations that are used to generate the entity classes may use reflection to set values directly on the fields, thus overriding the security checks.

    Is anyone familiar with a way to solve this issue? I'd greatly appreciate it.