I want to control read/write access to properties of POJOs depending on
the user who created the object. For example user A creates object O and
user A should read and write,
user B should only read, and
user C should neither read nor write the property P of object O.
After reading the good written ACEGI Security manual I think about
extending ACL security to handle property based ACL. For controling
property read access in the view I can use some taglib (authz or my one),
which displays nothing, the property value as text or an Html input field
with the property value. But how to handle write control? I can imagine a
solution for my Struts (UI) + Spring + Hibernate web app (AppFuse), but
it doesn't fit in the nice AOP-based architecture ACEGI is using:
The web client wants to update the POJO and sends changed values to
the web app. In the Struts acion class the POJO is retrieved from the
database (to keep the Hibernate references to other objects) and for
every property a security check is performed before the value is copied
to the POJO. This would work, but is not a nice design.
The problem I see with intercepting the setter and getter method calls
(like I would like to do use with ACEGI Security) to the POJO is that
some properties would be null and this "wrong" values would be written
to the database.
Any suggestions how to deal with property-based access control would