wow,
i did include some typos my mail,
excuse me,
i'll correct them now:
Wim Lambrecht schreef:
> Hi,
>
> I have a java (service) interface and an implementation and i want to
> apply transactional (using Springs @Transactional annotation) and
> security (using Acegi's @Secured annotation) aspects on it.
> I'm pretty sure i can manage to use then in a separate setup/deployment
> (meaning: either transactional or secured), but both at the same time
> does not give me the desired result.
>
> My setup:
> - an java interface for my service
> - an implementation of that service interface
> - i want it to be secure and transactional guarded.
> I must be honest: i'm actually using a manually configured
> transactionale proxy (using TransactionProxyFactoryBean) in combinatie
> with acegi's @Secured annotation (using auto-proxing via
> DefaultAdvisorAutoProxyCreator and MethodDefinitionSourceAdvisor).
> - the TransactionProxyFactoryBean is directly in front of my actual
> service implementation
> - the @Secured stuff is annotated on some methods on the service interface.
>
> public interface OrderService {
>
> @Secured({ROLE_ORDERMANAGER})
> public void deleteOrder(Order o);
>
> //...
> }
>
> public class StandardOrderService implements OrderService {
>
> OrderDAO orderDAO = ...
>
> public void deleteOrder(Order o) {
> someOrderDAO.deleteOrder(o);
> }
>
> }
>
> //spring-config extraction:
> <bean id="orderService"
> class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean">
> <property name="transactionManager">
> <ref bean="myTransactionManager"/>
> </property>
> <property name="target">
> <ref local="orderServiceNoTX"/>
> </property>
> <property name="transactionAttributes">
> <props>
> <prop key="delete*">PROPAGATION_REQUIRED</prop>
> <!-- etc -->
> </props>
> </property>
> </bean>
>
> <bean id="orderServiceNoTX" class="org.myorg.order.StandardOrderService">
> // stuff (like DAO config etc)
> </bean>
> //spring-config extraction (END)
>
>
> What happens:
> (---> is 'target')
> - my service implementation gets proxied, which is great:
> $proxy12 (tx-proxy) ----> actual service implementation
> - since the 'tx-proxy' also implements (i guess) my OrderService, it
> gets secured-proxied, again 'great', that's what i like. But naturally
> my service implementation also implements my OrderService interface, so
> it gets secured-proxied as well. So, i end up with 2 security interceptions:
> $proxy13 (sec-proxy on tx-proxy) ---> $proxy12 (tx-proxy) ---->
> $proxy14 (second sec-proxy !) --->actual service implementation
>
>
> What i desire:
> - the best possible setup, so that calls to the service implementation
> go through maximum 2 proxies, being: 1) the security front and 2) (ones
> you're in) the transactional protection.
> - i like to use the @Transactional approach instead, so that security and
> transactional behavior can be annotated (no config-file fuzz).
>
> - this seems like a common behaviour, so i guess someone else must have
> this needs too (and maybe already has a nice patterns in place).
>
> Questions (and suggestions of my own, which i want to check with the
> community)
> - use 'TransactionAttributeSourceAdvisor ' instead off
> 'TransactionProxyFactoryBean'.
> - maybe i can chain up the advisors (TransactionAttributeSourceAdvisor
> and MethodDefinitionSourceAdvisor) and order them.
>
- really avoid <proxyInterfaces> (MethodInterceptor) -> leaving
spring-config files generic and annotate behavior.
> - where's the best place to annotate my transactions: i guess that would
> be on my actual service implementation, but, on the other hand, it could
> as well be great to put it on the service interface, since this is the
> transactional behaviour for anyone who uses my interface-contract.
> - where's the best place to annotated my security layer: i would say the
> service interface (for the same reason as with the transaction
> annotations).
>
>
I could find out some solutions myself, but maybe you guys have some
great ideas ...
> So i'm really looking for some best practices in that area (but i know
> that all this can be very application specific, but nevertheless).
>
> thanks in advice !
> -wil-
>
>
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
