Dominik,
Hmm, I wonder what kind of overhead that incurs. Of course, if you are
only checking it once per HTTP request, I don't suppose it would matter.
Sounds like it would be roughly equivalent to creating an exception (due
to the stack trace manipulation).
Andrew is doing something like this too. Maybe if they come out with new
versions of the java security frameworks, they can standardize on this
sort of thing. :)
Regards,
Jeff Bischoff
Kenneth L Kurz & Associates, Inc.
[EMAIL PROTECTED] wrote:
Yes, that's correct, the JsfSecurityManager get's the stack trace, looks up
the calling method, retrieving the annotation, checking the access rights,
and throwing an exception if access is not allowed.
> @SecurityGuard(TypRoles.ADMIN)
> public AdminBean getAdminBean()
> {
> JsfSecurityManager.getCurrentInstance().check();
> }
>
Like I said, we haven't moved to the new Java yet. But okay, so the
annotation is labeling that this method should only be run by admins,
and it's the SecurityManager that is responsible for looking at the
annotation and deciding whether to continue?