Thanks Ben,
What I'm trying to do on a functional level is quite straightforward.
The application that I am writing is intended for the real estate business.
In this business a sales agent will only be able to view/edit properties that he/she has been assigned/brought into the company.
So when for example an agent does a search for houses they should only be returned those that they are in charge off.
The way that I have been doing this previously ( with hibernate ) has been to do the following.
Create a SystemUser object ( id, name, password, username ) and add it to the session.
When I call my service bean the method call would be like this
public List getAllMyProperties(SystemUser user );
or
public List getAllMySalesStaff(SystemUser user );
or
public Integer addOrUpdateForSaleProperty(ForSaleProperty prop, SystemUser user);
So I was thinking it would be cool if I could somehow get Acegi working in such a
way that it would either set the user id onto the service bean or set it onto the
systemUserHolder bean.
That way I would just be able to do this.
public Integer addOrUpdateForSaleProperty(ForSaleProperty prop) {
SystemUser user = this.systemUserHolder.getSystemUser;
return this.propertyManipulationDAO.addOrUpdateForSaleProperty(ForSaleProperty prop,SystemUser user)
}
This would make my service interfaces really clean and mean that it would be a lot easier to expose them as web
services.
If it set the user/user id onto the systemUserHolder bean it would be cool because
for unit testing I could swap it out with a mock class. If I were to call
SecureContext secureContext = ((SecureContext) ContextHolder.getContext());
systemUser = ( SystemUser
)secureContext.getAuthentication().getDetails();
}
Directly from within the service bean it would make it dependant on your framework and mean that I couldn't unit test it without initialising security through acegi.
I hope that this is a little clearer, to be honest I'm better at understanding than explaining :-)
--b
Ben Alex wrote:
bryan wrote:
Then my methods that are in the orderService class can call systemUserHolder.getSystemUser.getId() and do searches for example where the user is only allowed
to see financial data for a certain region.
I am very much new to Spring so if I'm completely off the mark here feel free to flame me. I think this code will be a good reference implimentation if I can get it working good.
--b
Hi Bryan
Not sure what you're trying to do, but on first glance there should be no need to have your orderServiceTarget have a reference to systemUserHolder. Typically any security checks would take place within an AccessDecisionVoter, which is handed the Authentication object directly. Should the Authentication object require some custom methods, you'd probably achieve that by implementing a custom AuthenticationDao (assuming you're using DaoAuthenticationProvider, which is most common). Now if the custom methods only relate to access control, you'd be well served to check out the new net.sf.acegisecurity.acl.basic package, as it would probably solve your goals in a more efficient way.
If you could let the list know what you're trying to achieve at a functional level, we'd be able to point you to specific classes and interfaces to implement etc.
Best regards Ben
------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
