Announcement Announcement Module
Collapse
No announcement yet.
@Secured meets Domain Object Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • @Secured meets Domain Object

    I use Spring 2.5.4, Spring Security 2.0.3 and Hibernate 3.2.5.

    I have the following Domain Object Structure:
    AbstractDomainObject (abstract class implementing interface IDomainObject)
    - SpecificDomainObjectA (class extending abstract class, implementing specific interface ISpecificDomainObjectA)
    - SpecificDomainObjectB (class extending abstract class, implementing specific interface ISpecificDomainObjectB)

    The domain objects are created via hibernate (using DAOs).
    I use domain object security to secure my domain objects (http://static.springframework.org/sp...main-acls.html).

    Now, I want to do the following...

    The AbstractDomainObject has a convenience method:
    Code:
    @Secured({"ROLE_MANAGER","ACL_DOMAINOBJECT_DELETE"})
    boolean isDeletable() {
      return true;
    }
    ... which intends, that the domain object knows itself about being deletable or not.

    I wrote a test case that setup a user with inufficient authorities in the security context and expect an AccessDeniedException.
    The method returns always true and the exception is never thrown.
    I assume that the @Secured annotation is not interpreted by Spring.

    I did not found any example where ACLs are used with the @Secured annotation.

    Is it possible to use @Secured annotations for beans not created in the application context / created by Hibernate?

    Another solution would be to implement that "isDeleteable"-question to a service which is created by Springs BeanFactory. There the annotation should work, or?

    Tanks for an answer. Ideas are very welcome!

  • #2
    I have same problem too. Did somebody found a solution?

    Comment


    • #3
      Originally posted by dart View Post
      I have same problem too. Did somebody found a solution?
      Hey dart,

      my solution was the one I provided above:
      to implement that "isDeleteable"-question to a service which is created by Springs BeanFactory
      The service method contains the domain object in the signature and is annotated with @Secured. Spring's domain security will look for a field "id" in that domain object and check ACL for the required authorities and the current user. That's it.

      Comment


      • #4
        Thanks, memento!

        I found yet another solution! We can use @Secured in our interfaces. So we need first to create an interfaces to our domain objects.

        Example:
        class User implements Locatable {
        . .private Location location

        . .public Location getLocation() {
        . . . .return location;
        . .}
        }

        interface Locatable {
        . .@Secured({"AFTER_ACL_READ"})
        . .public Location getLocation();
        }

        Comment

        Working...
        X