Reputation: 311
User can only call methods if the object belongs the user
In a CRUD jsf application, owners have objects, like records.
I want that owners can only view/edit/delete objects created by themselves. One way to achieve this, in every method to check if object has been created by the logged user.
There can be many similar methods and objects, so I would like to use another elegant/automatic way instead of using
if (selectedObject.owner == loggedUser)
phrases in every methods.
Is it possible,if possible how?
Upvotes: 0
Views: 66
Answers (2)
Reputation: 2121
You could use aspect oriented programming for access protection.
I'd write an aspect to intercept all method calls to the access restricted methods, apply the check in a before advice and throw an exception if it fails. Depending on the structure of the program either by looking for an explicit annotation or by using a rather generic pointcut.
This would move your if (obj.owner.equals(loggedUser)) to one central place, but of course you'd still need to take care not to include other users' items in lists etc.
"The" Java aspect implementation is AspectJ. It is also used and supported by the Spring framework, which you may already use anyway: http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/aop.html
Upvotes: 2
Reputation: 485
If I were you I would show the component only if the user is authorized, by using
rendered={user.isOwner}
You will use this as an attribute in your component.
Upvotes: 0
Related Questions
- JSF Security: bean method accessibilty
- How control access and rights in JSF?
- javaee IsUserInRole always return false jsf
- How to restrict access if user is not logged in
- Disable particular fields in JSF based on user privilege
- JSF 2.0 manage a user
- JSF tailoring webpage according to user permissions
- Spring ACL for JSF?
- Access Security level (ACL) with Java EE 6?
- Acl mechanism for JSF