Richard Kunze wrote: For example, take an accouting app with two roles: Customers, who may read their own accounts, and managers who may read all accounts. If you work on the service level, it's easy to restrict access to the showAllAccounts() methods to role "manager". If you let the client access the database directly on the other hand, you have to grant it read acess to the accounts table for the showMyAccount() message - and this means that a potentially malicious client has full access to all accounts. (end of quote)
Sounds good ! (actually, it is more or less what I'm trying to do). Do you have a good design pattern, or a way to model the access control to individual methods of services ? _________________________________________________________ Reply to the post : http://galaxy.andromda.org/forum/viewtopic.php?p=1741#1741 Posting to http://forum.andromda.org/ is preferred over posting to the mailing list! ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click _______________________________________________ Andromda-user mailing list Andromda-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/andromda-user
