Hi, I need to implement instance-level access control in my application using tapestry-security.
I already asked similar question here [1]. There Taha suggested to use AuthorityVoter, but that wasn't Tynamo's tapestry-security. I looked at Entity-Relationship Based Access Control [2]. This is not exactly what I need, because I don't even have DAO layer involved here. Here's what I have. I have business method in one of my services: @RequiresPermissions("task:submit") void submitTask(Task newTask); I read about ILAC on Shiro's web site [2]. This looks similar, but in my domain not every user may submit every task for execution. I have custom logic that should inspect instance of the newTask and decide whether current user has permissions to submit the task for execution or not. In Shiro's documentation [3] there's a note that tells that a developer may write its own implementation of AuthorizingRealm.isPermitted(*) to check permissions against custom domain model. I'm not sure about this in my case, though, because this note is given in 'Performance Considerations' section. One more thing that stops me from overriding AuthorizingRealm.isPermitted(*) is I don't have access to invocation context, i.e. I can't get instance of the newTask from example above: AuthorizingRealm realm = new AuthorizingRealm() { @Override public boolean isPermitted(PrincipalCollection principals, Permission permission) { // XXX ... can't access to newTask instance } I was thinking about fixing Tynamo's SecurityInterceptor advise, by putting MethodInvocation into Tapestry Environment service instance and getting this MethodInvocation from there in realm. Am I in the right direction? Any suggestions? [1] http://tapestry.1045711.n5.nabble.com/ANN-A-Tapestry5-Based-Security-Module-tp3322452p3338137.html [2] http://tynamo.org/tapestry-security-jpa+guide [3] http://shiro.apache.org/permissions.html#Permissions-InstanceLevelAccessControl [4] http://shiro.apache.org/permissions.html#Permissions-PerformanceConsiderations -- Dmitry Gusev AnjLab Team http://anjlab.com