Announcement Announcement Module
Collapse
No announcement yet.
How do I apply ACL to domain objects? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • How do I apply ACL to domain objects?

    I am trying to secure my domain objects using @PreAuthorize. I can easily check access to objects by using #-references to parameters but how can I check access against the current object that is annotated? The optimal way would be to do:

    @PreAuthorize(this, 'write')

    But there is nothing about this in the documentation.

    Thanks

  • #2
    I have the same thing in mind - in a Roo project, lots of methods that need securing don't have parameters (e.g., Contact.persist()).

    Have you figured this out or confirmed that it's just not possible?

    [My hunch is that @PreAuthorize cannot provide access to the parent object. But "this" would sure be handy for apps that don't have an overarching services layer.]

    Comment


    • #3
      Mike,

      I ended up implementing my own AOP-based ACL that I use to secure all domain object methods like this:

      @AccessControlled(Permission.VIEW)
      public String getName();

      I ended up doing this because spring ACL was insufficient in many aspects. My implementation makes the permissions part of the domain layer and has support for permission inheritance and adds some overhead but in my case it is worth it because it lets me do searches for entities based on permissions etc. Let me know if this sounds interesting.

      Piotr

      Comment


      • #4
        Piotr, thanks for sharing, it does sound interesting, but probably a bit too complex for my particular case. My fallback position is to use a few aspectj pointcuts and my own logic.

        Anyway I have requested this feature: https://jira.springsource.org/browse/SEC-1640

        Comment

        Working...
        X