Can't this be done such using Method Security MethodInvocation
security in Acegi? Not sure how you know it is a CEO employee declaratively
though. I guess this is what you are asking.
like:
sample.Employee.getSalary=ROLE_MANAGER
sample.Employee.getAddress=ROLE_ALL
Sorry, I know the example is not adequate.
Has any thought been given to adding instance based security support to
Acegi?
This seems to be a common requirement. Basically, what I mean by this
is
that you can apply security constraints (hopefully in a declarative
fashion)
to an object class with rules that are capable of discriminating on
instance
data. As an example, say you have an Employee object with a salary
property.
Only some roles should be allowed to view the salary. And only some
roles
should be able to view any information related to a CEO Employee.
As an implementation example, I have recently had to implement
something
similar to this, and I did so by applying aspects to my service
instances.
As DTOs enter and leave a service, my aspect would inspect the various
object
instances and apply the declarative security constraints. In our case,
it
was even more involved, as we needed the ability to actually modify the
DTO:
if a property was "off limits", then its value would be replaced with
a
secured value. This way, when the DTO is transmitted to a client (via a
web
service), the sensitive information will not be sent across the wire.
Such
security constraints also had the ability to enforce data operations:
create,
read, update, delete. So, for example, I could say that a role can read
the
salary field, but not be allowed to change the salary field. We also
provided a mechanism whereby a client can ask for a "security map" of
an
instance (or a class, for more general cases), so that it can know
what
security constraints are in effect for a particular object. This is
useful
to dynamically alter a UI based on what is allowed on an instance.
Thoughts, comments?
- Andy
-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
_______________________________________________
Acegisecurity-developer mailing list
[EMAIL PROTECTED]
