I would definitely suggest the first of your choices, you can define as many advisors as you want to a proxy bean. The order that they are defined in the list of interceptorNames controls their order of execution. If you have defined the advisor containing your login advice to catch all methods (or createNNN and editNNN), and an advisor containing the authorization or permissions based advice to only catch methods such as editNNN, by adding login advisor first in the list of interceptor names, you can be sure that it is executed before the permissions advisor.
-Chris Chris Scott
On Aug 7, 2006, at 3:35 PM, Christopher Bradford wrote: I'm implementing AOP security for an application, and find that there are some process dependencies in security. For example, while some methods (e.g., createNNN) only require that the user is logged in, others (such as editNNN) require that the user be both logged in and authorized for the NNN in question. I can see three possibilities for implementing this and wondered what the best practice might be. 1. Add all the methods that require authorization to my LoginAdvisor as well as to the AuthorizationAdvisor, then add both advisors to the proxy bean. 2. Create a proxy bean that uses the LoginAdvisor for each proxy bean that uses the AuthorizationAdvisor (double proxy) 3. Make the AuthorizationAdvice dependent on the LoginAdvice and call the LoginAdvice's before() method at the top of the AuthorizationAdvice's before() method. I see pros and cons to each of these approaches. Is there one that should be preferred? Thanks,
Christopher Bradford
|
