Announcement Announcement Module
No announcement yet.
What level to apply ACL security at? Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • What level to apply ACL security at?


    We are using role based security with role voter on the service layer methods.

    We are also looking at using ACL security. Originally I was going to apply this to the service layer also , but I'm now thinking it might make more sense to apply the ACL security at the DAO layer.

    For example if I have a service layer:

    createDomainObejct1(DomainObject1 domainObject1)
    updateDomainObejct1(DomainObject1 domainObject1)
    closeDomainObejct1(Long id)
    reopenDomainObejct1(Long id)
    retrieveDomainObejct1(Long id)
    deleteDomainObejct1(Long id)
    reopenDomainObejct1(DomainObject1 domainObject1)
    createDomainObejct2(DomainObject2 domainObject2)

    And the dao for DomainObejct1:

    DomainObejct1Dao.create(DomainObject1 domainObject1)
    DomainObejct1Dao.update(DomainObject1 domainObject1)
    DomainObejct1Dao.retrieve(Long id)
    DomainObejct1Dao.findByName(String name)
    DomainObejct1Dao.delete(Long id)

    Now if the service layer methods updateDomainObejct1(DomainObject1 domainObject1), closeDomainObejct1(Long id), reopenDomainObejct1(Long id) all involve updating the domain object ie calling the dao update method, then the system seems more robust if I put the update ACL check on the dao update method otherwise I may forget to apply it to some service method in the future. Likewise for after invocation read and collection filtering - it seems
    safer to apply these at the dao layer also as any service layer method that uses this information will have to go through the dao layer.

    Is this a sensible approach - ie have two layers of method invocation security?

    On a related issue the new ACL module voters and afterinvocationproviders require the domain object to act on however methods such as retrieve or delete (whether in the service layer or dao layer) usually only provide the object id. How should this be handled?

    Thanks for any help


  • #2
    I've had this discussion a few times before with other people. You could add it to the dao layer just to make sure. There are issues when you use something like Hibernate though. As you don't actually have to persist the change explicitly it's possible to only have the read permission but to still update an object.