Jason Carreira wrote:
...unless you really want to take the security
exercise all the way,
i.e., secure each and every method via
container-managed security using
annotations (ideally) to configure what roles/users
can access what
methods, thereby taking the URI out of the equation
entirely... if you
aren't in an allowed role, you can't execute the
method, regardless of
what URI was used to request it.
Might not be a bad feature actually, but seems like a
bit of overkill to
me :)
I do this now, with Acegi and Spring. Not so much on actions, but on the Services they call.
And that's where we tend to do it too, but by using container-managed
security to secure EJB methods instead. The problem I've always had
with it though is that I have to handle that in my Actions, or in the
facade anyway... what if an Action tries to call a method that the user
doesn't have access to? I'd expect to get an exception, which I have to
catch and handle in some graceful way (graceful as far as the user is
concerned). I'm thinking that maybe if this happened before the Action
was invoked, it might be possible to handle it a little more gracefully,
i.e., maybe I can declare some sort of "security exception" page to
redirect to. Obviously you could do this on your own, but it'd be nice
if the framework handled it since this strikes me as a framework-y kinda
thing :)
Let's not re-invent the wheel.
Yeah, but that's what I *do*! (http://javawebparts.sourceforge.net) ;) LOL
Frank
--
Frank W. Zammetti
Founder and Chief Software Architect
Omnytex Technologies
http://www.omnytex.com
AIM/Yahoo: fzammetti
MSN: [EMAIL PROTECTED]
Author of "Practical Ajax Projects With Java Technology"
(2006, Apress, ISBN 1-59059-695-1)
Java Web Parts - http://javawebparts.sourceforge.net
Supplying the wheel, so you don't have to reinvent it!
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
