Hi, I have a java (service) interface and an implementation and i want to apply transactional (using Springs @Transactional annotation) and security (using Acegi's @Secured annotation) aspects on it. I pretty sure i can manage to use then in a separate setup/deployment (meaning: either transactional or secured), but both at the same time does not give me the desired result.
My setup: - an java interface for my service - an implementation of that service interface - i want it to be secure and transactional guarded. I must be honest: i'm actually using a manually configured transactionale proxy (using TransactionProxyFactoryBean) in combinatie with acegi's @Secured annotation (using auto-proxing via DefaultAdvisorAutoProxyCreator and MethodDefinitionSourceAdvisor). - the TransactionProxyFactoryBean is directly in front of my actual service implementation - the @Secured stuff is annotated on some methods on the service interface. public interface OrderService { @Secured({ROLE_ORDERMANAGER}) public void deleteOrder(Order o); //... } public class StandardOrderService implements OrderService { OrderDAO orderDAO = ... public void deleteOrder(Order o) { someOrderDAO.deleteOrder(o); } } //spring-config extraction: <bean id="orderService" class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean"> <property name="transactionManager"> <ref bean="myTransactionManager"/> </property> <property name="target"> <ref local="orderServiceNoTX"/> </property> <property name="transactionAttributes"> <props> <prop key="delete*">PROPAGATION_REQUIRED</prop> <!-- etc --> </props> </property> </bean> <bean id="orderServiceNoTX" class="org.myorg.order.StandardOrderService"> // stuff (like DAO config etc) </bean> //spring-config extraction (END) What happens: (---> is 'target') - my service implementation gets proxied, which is great: $proxy12 (tx-proxy) ----> actual service implementation - since the 'tx-proxy' also implements (i guess) my OrderService, it gets secured-proxied, again 'great', that's what i like. But naturally my service implementation also implements my OrderService interface, so it gets secured-proxied as well. So, i end up with 2 security interceptions: $proxy13 (sec-proxy on tx-proxy) ---> $proxy12 (tx-proxy) ----> $proxy13 (second sec-proxy !) --->actual service implementation What i desire: - the best possible setup, so that calls to the service implementation go through maximum 2 proxies, being: 1) the security front and 2) (ones your in) the transactional protection. (so, in fact - i like to use the @Transactional approach, so but security and transactional behavior can be annotated. - this seems like a common behaviour, so i guess someone alse must have this need also. Questions (and suggestions of my own, which i want to check with the community) - use 'TransactionAttributeSourceAdvisor ' instead off 'TransactionProxyFactoryBean'. - maybe i can chain up the advisors (TransactionAttributeSourceAdvisor and MethodDefinitionSourceAdvisor) and order then - where's the best place to annotate my transactions: i guess that would be on my actual service implementation, but, on the other hand, it could as well be great to put it on the service interface, since this is the transactional behaviour for anyone who uses my interface-contract. - where's the best place to annotated my security layer: i would say the service interface (for the same reason as with the transactioin annotations). So i'm really looking for some best practices in that area (but i do that this can be very application specific, but nevertheless). thanks in advice ! -wil- ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer