securing app, one step further

[gershwinou]

Hi all,
I have just open a ticket for a new feature (yet another one):
https://jira.springsource.org/browse/ROO-1759

this is one step further to securing application based on a very common task one always faces when one secures an application: a per user CRUD access.
more details in the ticket, but in a nutschell, a user always owns a set of entity instance, the (C)(R)UD access should always be limited to the owner. The ticket proposes a possibility to "quickly" update the scaffold with spring security tags (<sec:...>).

I think with this feature, Roo would be a full stack technology to create enterprise like application.

What do you think?

[hatim]

this seems doable but insecure

you are blocking the render of the delete link, but not the delete method.

IMO this is already solved fully in spring security with ACL. we need to work on a comprehensive ROO-Security addon and not just add functionalities to the core which are corner cases.

Its currently the 6th most popular issue for ROO, you may like to upvote it.

https://jira.springframework.org/bro...arissues-panel

[gershwinou]

thanks hatim,
Well your answer give me the chance to detail more the idea:
1- this is based on the spring-security addon (i voted up for your mentionned ticket) and complementary
2- as for security issue, it is not only securing on the jspx part (it will only remove the delete tags for non secured user). It is also on the java part, adding a @Secured tag a bit like in grails, on the corresponding method
3- it is not solved with the spring security with ACL because this is one step further: matching your model (User have many2many relationship with Bookmark) with security (only User with a relationship with this bookmark can delete it)