Results 1 to 4 of 4

Thread: @Secured meets Domain Object

Hybrid View

  1. Sep 11th, 2008, 07:31 AM #1
    memento
    memento is offline Junior Member
    Join Date
    Feb 2008
    Location
    Stuttgart, Germany
    Posts
    24

    Question @Secured meets Domain Object

    I use Spring 2.5.4, Spring Security 2.0.3 and Hibernate 3.2.5.

    I have the following Domain Object Structure:
    AbstractDomainObject (abstract class implementing interface IDomainObject)
    - SpecificDomainObjectA (class extending abstract class, implementing specific interface ISpecificDomainObjectA)
    - SpecificDomainObjectB (class extending abstract class, implementing specific interface ISpecificDomainObjectB)

    The domain objects are created via hibernate (using DAOs).
    I use domain object security to secure my domain objects (http://static.springframework.org/sp...main-acls.html).

    Now, I want to do the following...

    The AbstractDomainObject has a convenience method:
    Code:
    @Secured({"ROLE_MANAGER","ACL_DOMAINOBJECT_DELETE"})
boolean isDeletable() {
  return true;
}
    ... which intends, that the domain object knows itself about being deletable or not.

    I wrote a test case that setup a user with inufficient authorities in the security context and expect an AccessDeniedException.
    The method returns always true and the exception is never thrown.
    I assume that the @Secured annotation is not interpreted by Spring.

    I did not found any example where ACLs are used with the @Secured annotation.

    Is it possible to use @Secured annotations for beans not created in the application context / created by Hibernate?

    Another solution would be to implement that "isDeleteable"-question to a service which is created by Springs BeanFactory. There the annotation should work, or?

    Tanks for an answer. Ideas are very welcome!
  2. Nov 25th, 2008, 10:18 AM #2
    dart
    dart is offline Junior Member
    Join Date
    Oct 2008
    Posts
    10

    Default

    I have same problem too. Did somebody found a solution?
  3. Nov 25th, 2008, 10:29 AM #3
    memento
    memento is offline Junior Member
    Join Date
    Feb 2008
    Location
    Stuttgart, Germany
    Posts
    24

    Default

    Quote Originally Posted by dart View Post
    I have same problem too. Did somebody found a solution?
    Hey dart,

    my solution was the one I provided above:
    to implement that "isDeleteable"-question to a service which is created by Springs BeanFactory
    The service method contains the domain object in the signature and is annotated with @Secured. Spring's domain security will look for a field "id" in that domain object and check ACL for the required authorities and the current user. That's it.
  4. Nov 26th, 2008, 05:13 AM #4
    dart
    dart is offline Junior Member
    Join Date
    Oct 2008
    Posts
    10

    Default

    Thanks, memento!

    I found yet another solution! We can use @Secured in our interfaces. So we need first to create an interfaces to our domain objects.

    Example:
    class User implements Locatable {
    . .private Location location

    . .public Location getLocation() {
    . . . .return location;
    . .}
    }

    interface Locatable {
    . .@Secured({"AFTER_ACL_READ"})
    . .public Location getLocation();
    }
« Previous Thread | Next Thread »

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules