On 7/7/10 7:04 AM, Amol Ghotankar wrote:
Authorization will have two parts
1. decide which action are allowed and which are not,
Spring Security.
2 . decide how much data to access.
Means if I have a database which has 100 rows, then to show 100 or 10 or 50
based on the role of the user and this authorization permissions.
There is no magic (that I'm aware of) here. My current solution is that
just about every dao request to load an object from the DB includes an
optional argument of the user making the request, which allows the fetch
logic to determine whether or not the data should be provided. Arguably
that should be part of the service layer instead, since in it's more
complex forms it's more of a business logic question. The main reason I
use the dao layer is that I'm also recording access data at the same
time I'm returning the requested info.
CURSIVE TECHNOLOGIES EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail
or telephone and delete the original message from your mail system.
Including a notice like this on a request for help sent to a public,
archived mailing list is obnoxious. JSYK, I've been seriously
considering instituting a personal policy whereby I will never respond
to such messages.
-Dale
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org
