We couldn't find anything standard and went with spring security after 
looking at Shiro. In Shiro and the standard stuff it seems,at best, tough 
to do basic stuff like "administrators and owners can see a user's email 
address".

Our domain has a dozen roles and and groups (with different membership role 
to those groups) so @PreAuthorize turned out not to be overkill.

It would be great to have something from JEE and ideally without an 
expression language.

On Saturday, July 27, 2013 2:43:18 PM UTC+1, Jens wrote:
>
> I am wondering if there is anything standards based a servlet container 
> can provide when I only have a static set of permissions and customers can 
> define their own roles by combining these permissions. I pretty much always 
> need something like @PermissionRequired instead of @RolesAllowed in my apps 
> because roles are not static. And in addition to method/class level 
> permissions which only regulate what a user can do in the app I also need 
> to authorize the data a user can see.
>
> My workflow is
> 1.) UI is build based on a user account's assigned roles and their 
> containing access permissions
> 2.) User account selects menu item (= access permission) in UI. 
> 3.) App figures out which of the assigned roles of the account contain the 
> access permission for the selected menu item.
> 4.) App figures out which data the user account can see based on the 
> active roles calculated in 3.) and filters the data accordingly before 
> sending it to the client UI. 
>
> To make 4.) possible a customer can assign "accessible data" to each role 
> of a given user account. So "accessible data" can vary between user 
> accounts for the same role.
>
> If I am not totally wrong I think JAAS can't help me here and I did not 
> find a lot of information about JASPI but maybe my googling is just bad in 
> this case. Currently the above is a custom implementation but I am 
> wondering if its a "lets re-invent the wheel" thing.
>
> -- J.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Google Web Toolkit" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-web-toolkit+unsubscr...@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at http://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/groups/opt_out.


Reply via email to