Ok, now it's definitively clear. First every interceptor knows exactly which action is invoked through action invocation. With that said your action could implement (1) your custom interface or (2) a generic Request Aware interface in order to retrieve request parameters. Does this answer your question?
Maurizio Cucchiara Il giorno 14/dic/2010 03.27, "JOSE L MARTINEZ-AVIAL" <jlm...@gmail.com> ha scritto: Hi Maurizio, Li, Thanks for your suggestion, but the problem with the approaches you suggested is that they link the security rules too much to the actions. We want to be as abstract as possible. For that, we have developed the following implementation: We created some entities called SecurityResource which represent a set of possible user actions. For example, we can have a SecurityResource called SeeCustomer, that would be applied to any request related with seeing a customer, or a SecurityResource called ModifyOwnProfile, used to filter any action related to the modification of the profile. Every Action (unless it is public) in the system is associated to a resource. We have also define some entities called SecurityAssert. A SecurityAssert is a rule that checks some conditions, and returns true or false. They are implemented through classes that implement a specific interface. For each SecurityResource we have a list of SecurityAsserts that need to be validated. So our security definition look as follows: <security-assert-definition name="SecurityAssertHasRole" class="com.test.rules.SecurityAssertHasRole"> <description>Regla de seguridad para comprobar si un usuario tiene un rol</description> </security-assert-definition> <security-assert-definition name="SecurityAssertDistributionList" class="com.test.rules.SecurityAssertDistributionList"> <description>Regla de seguridad para comprobar si un usuario puede acceder a las listas de distribucion</description> </security-assert-definition> <security-resource name="Eco"> <security-assert-ref name="SecurityAssertHasRole" character="mandatory"> <parameter name="allowedRoles"> <value>Role1</value> <value>Role2</value> <value>Role3</value> </parameter> </security-assert-ref> </security-resource> Some of the rules need information from the request(customer number, for example). In an ideal world the interceptor should not know anything about the action it is trying to check. It should only invoke the rules, and check their results. So I(the interceptor) should to be able to pass parameters from the request to the rule without actually having to know anything about the request or the rules. Maybe the approach is complex, but we are planning to have some hundredths of actions, and be able to be as granular and modular as possible with respect to security. Any ideas? thanks JL 2010/12/12 Li Ying <liying.cn.2...@gmail.com> > I think you don't need this bothering job. > > You can: > > (1)Define some properties in your bas...