Didn't want to hijack a thread, so... On Thu, May 4, 2006 2:21 pm, Dave Newton said: > Frank W. Zammetti wrote: >> I.e., you want /showAccount.do accessible to the AccountManager and >> Customer roles, but you only want /updateAccount.do accessible to the >> AccountManager role? As I understand it, you would have something like >> /accountResource.do, and dispatch to a particular method... how could I >> secure one but not the other based on role? >> > > Acegi, other, or hand-rolled method- (or object- or...) -based role > processing. Before I knew about Acegi (or anything else, really :/ I > handled things like that through base classes.
What if your corporate mandate (for better or worse) is J2EE security backed by LDAP? What if you simply are not allowed to include security mechanisms in your application? (configuring groups isn't considered "in the application"). Well, I can kind of answer my own question... of course we *are* allowed to see what group a user is in and act accordingly, so yes, I *could* code that sort of thing in a Dispatch-type Action. But then, (a) the benefit of externalized security decreases because it isn't quite so external any more, and (b) the request isn't getting stopped at the boundary, which is what we want, it's still getting into my application code to some degree. Frank -- Frank W. Zammetti Founder and Chief Software Architect Omnytex Technologies http://www.omnytex.com AIM: fzammetti Yahoo: fzammetti MSN: [EMAIL PROTECTED] Java Web Parts - http://javawebparts.sourceforge.net Supplying the wheel, so you don't have to reinvent it! --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]