Hi,
I have a java (service) interface and an implementation and i want to
apply transactional (using Springs @Transactional annotation) and
security (using Acegi's @Secured annotation) aspects on it.
I pretty sure i can manage to use then in a separate setup/deployment
(meaning: either transactional or secured), but both at the same time
does not give me the desired result.
My setup:
- an java interface for my service
- an implementation of that service interface
- i want it to be secure and transactional guarded.
I must be honest: i'm actually using a manually configured
transactionale proxy (using TransactionProxyFactoryBean) in combinatie
with acegi's @Secured annotation (using auto-proxing via
DefaultAdvisorAutoProxyCreator and MethodDefinitionSourceAdvisor).
- the TransactionProxyFactoryBean is directly in front of my actual
service implementation
- the @Secured stuff is annotated on some methods on the service interface.
public interface OrderService {
@Secured({ROLE_ORDERMANAGER})
public void deleteOrder(Order o);
//...
}
public class StandardOrderService implements OrderService {
OrderDAO orderDAO = ...
public void deleteOrder(Order o) {
someOrderDAO.deleteOrder(o);
}
}
//spring-config extraction:
<bean id="orderService"
class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean">
<property name="transactionManager">
<ref bean="myTransactionManager"/>
</property>
<property name="target">
<ref local="orderServiceNoTX"/>
</property>
<property name="transactionAttributes">
<props>
<prop key="delete*">PROPAGATION_REQUIRED</prop>
<!-- etc -->
</props>
</property>
</bean>
<bean id="orderServiceNoTX" class="org.myorg.order.StandardOrderService">
// stuff (like DAO config etc)
</bean>
//spring-config extraction (END)
What happens:
(---> is 'target')
- my service implementation gets proxied, which is great:
$proxy12 (tx-proxy) ----> actual service implementation
- since the 'tx-proxy' also implements (i guess) my OrderService, it
gets secured-proxied, again 'great', that's what i like. But naturally
my service implementation also implements my OrderService interface, so
it gets secured-proxied as well. So, i end up with 2 security interceptions:
$proxy13 (sec-proxy on tx-proxy) ---> $proxy12 (tx-proxy) ---->
$proxy13 (second sec-proxy !) --->actual service implementation
What i desire:
- the best possible setup, so that calls to the service implementation
go through maximum 2 proxies, being: 1) the security front and 2) (ones
your in) the transactional protection.
(so, in fact
- i like to use the @Transactional approach, so but security and
transactional behavior can be annotated.
- this seems like a common behaviour, so i guess someone alse must have
this need also.
Questions (and suggestions of my own, which i want to check with the
community)
- use 'TransactionAttributeSourceAdvisor ' instead off
'TransactionProxyFactoryBean'.
- maybe i can chain up the advisors (TransactionAttributeSourceAdvisor
and MethodDefinitionSourceAdvisor) and order then
- where's the best place to annotate my transactions: i guess that would
be on my actual service implementation, but, on the other hand, it could
as well be great to put it on the service interface, since this is the
transactional behaviour for anyone who uses my interface-contract.
- where's the best place to annotated my security layer: i would say the
service interface (for the same reason as with the transactioin
annotations).
So i'm really looking for some best practices in that area (but i do
that this can be very application specific, but nevertheless).
thanks in advice !
-wil-
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
