[ http://jira.andromda.org/browse/SPRING-97?page=comments#action_12037 ]
Kiran Keshav commented on SPRING-97:
------------------------------------
Hi Peter,
1)
Acegi Security represents functionality that is independent of the object
model, similar to transaction management and hibernate session management. As
such, these do not appear in the model but are defined 'externally' as
interceptors. Currently when running the mda task, both transaction management
and hibernate session management functionality are achieved by generating the
corresponding interceptors at the service level. The
serviceTransactionInterceptor bean contains a list of all service methods, each
of which will be intercepted by the interceptor upon method invocation.
Security follows a similar train of thought. It should not be embedded in the
model itself because it is a cross-cutting concern, but should "externalized".
This externalization can be achieved via tagged values (in the same way that
andromda offers the transaction tagged value
@andromda.spring.transaction.type). The acegi security interceptor bean
(serviceSecurityInterceptor) can use the same list of methods from the
serviceTransactionInterceptor in the property "objectDefinitionSource".
This yields:
<bean id="serviceSecurityInterceptor"
class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
<property name="authenticationManager"><ref
bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref
bean="businessAccessDecisionManager"/></property>
<property name="afterInvocationManager"><ref
bean="afterInvocationManager"/></property>
<property name="objectDefinitionSource">
<value>
foo.bar.FooBarService.saveFooBar=user, admin
foo.bar.FooBarService.getAllFooBars=user, admin
foo.bar.FooBarService.createFooBar=user, admin
foo.bar.FooBarService.updateFooBar=user, admin
</value>
</property>
</bean>
where user,admin is the default acegiAclType (this can be changed via the
namespace paramenter). If, however you wanted to use Acl's, you could set the
tagged value @andromda.spring.acegi.acl.type=ACL_FOOBAR_EDIT (or any other
value you want) on a method. For instance, if we set this on the method
updateFooBar, we would have:
<bean id="serviceSecurityInterceptor"
class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
<property name="authenticationManager"><ref
bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref
bean="businessAccessDecisionManager"/></property>
<property name="afterInvocationManager"><ref
bean="afterInvocationManager"/></property>
<property name="objectDefinitionSource">
<value>
foo.bar.FooBarService.saveFooBar=user, admin
foo.bar.FooBarService.getAllFooBars=user, admin
foo.bar.FooBarService.createFooBar=user, admin
foo.bar.FooBarService.updateFooBar=ACL_FOOBAR_EDIT
</value>
</property>
</bean>
We could also set the @andromda.spring.domain.object to specify what target
object we are looking at, as well as the @andromda.spring.acegi.voter.name to
specify who decides on whether the user should have access to this domain
object. It makes sense that methods of a service should have security on them,
so a default of role-based voting is applied to them. Finer grained control
can then be added with the use of these tagged values.
2) Using the FieldRetrievingFactoryBean allows the user to get the integer
values of static variables from the class as opposed to using integers in XML.
This bean is described in "Java Development With Spring" Chapter 3, Advanced
Container Concepts and is further discussed in the Acegi context on page 393.
Regards,
Kiran
> Create methods in the serviceSecurityInterceptor from objects with a
> "Service" stereotype and add a tagged value for the processConfigAttribute
> -----------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: SPRING-97
> URL: http://jira.andromda.org/browse/SPRING-97
> Project: Spring Cartridge
> Type: New Feature
> Versions: 3.1RC1
> Reporter: Kiran Keshav
> Assignee: Peter Friese
> Attachments: SpringMetafacadeModel.xml.zip, patch.txt
>
> Add functionality to create all methods in the serviceSecurityInterceptor
> based on methods in a service (objects modelled with a "Service" stereotype).
> Add a tagged value to set the processConfigAttribute on each of these
> methods (ie. ACL_FOOBAR_EDIT). This tagged value will be part of the
> WebServiceOperation stereotype.
> eg.
> <bean id="serviceSecurityInterceptor"
> class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
> <property name="authenticationManager"><ref
> bean="authenticationManager"/></property>
> <property name="accessDecisionManager"><ref
> local="businessAccessDecisionManager"/></property>
> <property name="afterInvocationManager"><ref
> local="afterInvocationManager"/></property>
> <property name="objectDefinitionSource">
> <value>
> foo.bar.FooBarService.getAllFooBars=user, admin
> foo.bar.FooBarService.updateFooBar=ACL_FOOBAR_EDIT
> foo.bar.FooBarService.removeFooBar=ACL_FOOBAR_DELETE
> </value>
> </property>
> </bean>
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
