What is the best way to add access control rules?

[revolred]

I created a domain model with roo and would like to add rules to filter data and restrict access depending on the actual user or his role.

Here are some examples:

Assume there are the entities Activity, User and Contact. An activity references users as guests and users as hosts. A user can have contacts.

1. Now if a given users wants to create a new activity the list of users for guests should be restricted to the users contacts and the list of hosts should be restricted to the user and his contacts.

2. Only show activities where the user is either a host or guest.

3. Only allow a host to edit an activity.

How can I implement that with roo? Some kind of annotation would be great to restrict access. Any recommendation?

[Stefan Schmidt]

@revolred,

You can use Spring Security to achieve these things. The new expression language support which is part of the Spring Security 3 milestone releases makes it even easier since you don't need to write custom filters and access decision voters. For a very similar sample application take a look at a blog post I published a few weeks back:
http://stsmedia.net/spring-finance-p...3-integration/

HTH

-Stefan

[revolred]

I read that post. But it must be a serious performance issue to work with postfilters on large databases. How can I restrict what is loaded as a collection in the first place?

[Stefan Schmidt]

Well you can create a custom finder and secure that one.

Since this would mostly depend on your specific application it would make sense if you write custom JQL queries which is of course the most effective way to control the data coming from the DB.

-Stefan

[revolred]

Is there a sample application available somewhere where I can see both in action?