Announcement Announcement Module
No announcement yet.
Property based ACL? Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Property based ACL?


    I want to control read/write access to properties of POJOs depending on
    the user who created the object. For example user A creates object O and
    user A should read and write,
    user B should only read, and
    user C should neither read nor write the property P of object O.

    After reading the good written ACEGI Security manual I think about
    extending ACL security to handle property based ACL. For controling
    property read access in the view I can use some taglib (authz or my one),
    which displays nothing, the property value as text or an Html input field
    with the property value. But how to handle write control? I can imagine a
    solution for my Struts (UI) + Spring + Hibernate web app (AppFuse), but
    it doesn't fit in the nice AOP-based architecture ACEGI is using:

    The web client wants to update the POJO and sends changed values to
    the web app. In the Struts acion class the POJO is retrieved from the
    database (to keep the Hibernate references to other objects) and for
    every property a security check is performed before the value is copied
    to the POJO. This would work, but is not a nice design.

    The problem I see with intercepting the setter and getter method calls
    (like I would like to do use with ACEGI Security) to the POJO is that
    some properties would be null and this "wrong" values would be written
    to the database.

    Any suggestions how to deal with property-based access control would
    be appreciated.


  • #2
    I'd point you towards this thread, which discusses the pros and cons of the various solutions you have available: