Results 1 to 2 of 2

Thread: What level to apply ACL security at?

  1. Mar 22nd, 2007, 01:16 PM #1
    david_geary
    david_geary is offline Member
    Join Date
    Jun 2006
    Posts
    44

    Default What level to apply ACL security at?

    Hi,

    We are using role based security with role voter on the service layer methods.

    We are also looking at using ACL security. Originally I was going to apply this to the service layer also , but I'm now thinking it might make more sense to apply the ACL security at the DAO layer.

    For example if I have a service layer:

    createDomainObejct1(DomainObject1 domainObject1)
    updateDomainObejct1(DomainObject1 domainObject1)
    closeDomainObejct1(Long id)
    reopenDomainObejct1(Long id)
    retrieveDomainObejct1(Long id)
    deleteDomainObejct1(Long id)
    reopenDomainObejct1(DomainObject1 domainObject1)
    createDomainObejct2(DomainObject2 domainObject2)
    etc

    And the dao for DomainObejct1:

    DomainObejct1Dao.create(DomainObject1 domainObject1)
    DomainObejct1Dao.update(DomainObject1 domainObject1)
    DomainObejct1Dao.retrieve(Long id)
    DomainObejct1Dao.findByName(String name)
    DomainObejct1Dao.delete(Long id)

    Now if the service layer methods updateDomainObejct1(DomainObject1 domainObject1), closeDomainObejct1(Long id), reopenDomainObejct1(Long id) all involve updating the domain object ie calling the dao update method, then the system seems more robust if I put the update ACL check on the dao update method otherwise I may forget to apply it to some service method in the future. Likewise for after invocation read and collection filtering - it seems
    safer to apply these at the dao layer also as any service layer method that uses this information will have to go through the dao layer.

    Is this a sensible approach - ie have two layers of method invocation security?

    On a related issue the new ACL module voters and afterinvocationproviders require the domain object to act on however methods such as retrieve or delete (whether in the service layer or dao layer) usually only provide the object id. How should this be handled?

    Thanks for any help

    Dave
  2. Mar 22nd, 2007, 01:25 PM #2
    karldmoore
    karldmoore is offline Senior Member
    Join Date
    Sep 2006
    Location
    UK
    Posts
    8,424

    Default

    I've had this discussion a few times before with other people. You could add it to the dao layer just to make sure. There are issues when you use something like Hibernate though. As you don't actually have to persist the change explicitly it's possible to only have the read permission but to still update an object.
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules