Suppose there are two groups to develop a Seam application. A group in charge
of Facelets templates and the other in charge of business logic (session beans
and entities). Imagine I have an entity like the next:
@Entity
class BankClient{
public Long getAccountNumber(){...}
}
"accountNumber" is a property only readable by users with the "manager"
permission. Suppose a view tier developer adds a text like this in their
template:
<h:outputText value="#{bankClient.accountNumber}" />
There is no way to check the view developer doesn't includes restricted
properties in the template. The only way to check security constraints on data
bean properties is to passing DTOs instead of entities to view layer. A robust
design is very hard without a way to restrict properties. The solution would be
an annotation like this:
@RestrictProperty("#{s:hasPermission('manager')}")
public Long getAccountNumber(){,,,}
I hope to find an approach like this in a future Seam release.
Best Regards.
-- Andres Testi
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4103922#4103922
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4103922
_______________________________________________
jboss-user mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/jboss-user
