Understanding the Capabilities of Acegi

[Loumeister]

I have a situation where I would like to do row-level security with user id and/or role information. For instance, maybe a user with a role A could see record X in the database, while user with Role B could not see record X but could see record Y. We have a role field in the database that would maintain this information, so can Acegi somehow help to assertain if a user is authorized to see his/her records without me having to write this logic in the service layer?

Thanks,
Lou

[Rexxe]

I don't think Ageci is the solution here. I think you just want to use plain old SQL. If you already know which rows the user can see based on his role, why can't you just query the table using the user's role? Since you are using Ageci it's very easy to get the user and its roles anywhere in your app using the ContextHolder.

[Ben Alex]

As shown by the new Contacts sample application in CVS, Acegi Security has a comprehensive ACL solution that would fit your needs perfectly.

The decision on doing ACL security in the database or the Java layer is really very application-specific and not possible to answer without understanding more about the problem domain. For example, I had a content management requirement that was simply more elegant to do in the database due to free-text search pagination. However, in most other cases I've used Acegi Security's ACL services.