Jan 20th, 2008, 06:32 AM
I'm thinking about securing some methods in my application. I know that I can use acegi to block access to some objects for certain user roles. But I've noticed that I need something else. For example user can only see his friends profile, which is returned by showProfile(userId,targetId). I can restrict access to this method for ROLE_USER, but is it possible to intercept this, and if ids are not correct block them using AOP? How can I do this?
Jan 21st, 2008, 07:28 AM
I don't have a lot of experience with AOP actually, Im just starting out myself, but I'd say: Intercept the method using around advice; check the userId whichever way you like; if it's correct do invoke.proceed(); if it's incorrect throw an exception and dont let it continue.
Another possiblity is setting and extra boolean flag in the function, which indicates if the function should be executed. But I think this isn't the kind of option you would wanna implement as you'll actually link the interceptor architecture to your software.
In any case, just my 2 cents.