6 Replies Latest reply on Jun 4, 2007 11:53 AM by christian.bauer

Security: access control at entity level?

kingcu May 2, 2007 3:02 PM

After reading chapter 20 of the Seam book, it seems to me that Seam has built in security support for access control at the method level of session beans. I wonder if the @Restrict annotation can be put on entities to control access to certain entities.

Here is my situation: I have some business entities with various relationships between each other (one-to-one, one-to-many, etc) and through foreign keys or mapping tables, they are organized into a tree structure. I'd like to have the admin role to access all the tree entities, while other roles can only access a certain part of the tree. The accessible part of the tree should be defined dynamically, i.e., an admin user logs into a web UI and selects which part of the tree is accessible for each of the other roles.

Any suggestions/ideas on how this could be implemented with Seam? Thanks.

1. Re: Security: access control at entity level?

christian.bauer May 2, 2007 3:51 PM (in response to kingcu)

Entity security is covered in the reference documentation. Short answer: Yes, you can put @Restrict on entity callback methods.
Actions
2. Re: Security: access control at entity level?

christian.bauer May 2, 2007 3:52 PM (in response to kingcu)

And for your use case you need something else: dynamic Hibernate filters. I'm using a restrictedEntityManager that is configured with a dynamic filter in components.xml, checkout the examples/wiki/ source in Seam CVS.
Actions
3. Re: Security: access control at entity level?

a.simonov Jun 4, 2007 8:13 AM (in response to kingcu)

if for example want to define filter like this

@org.hibernate.annotations.FilterDef(
name = "accessLevelFilter2",
parameters = {@org.hibernate.annotations.ParamDef(name = "currentAccessLevel", type="integer")}
)
@org.hibernate.annotations.Filter(
name = "accessLevelFilter2",
condition = "(select level from registration where id=this.id)=:currentAccessLevel"
)

this should reference to the entity.I couldn't get it to work.. how this could be done?
Actions
4. Re: Security: access control at entity level?

christian.bauer Jun 4, 2007 8:29 AM (in response to kingcu)

I don't understand what you want.
Actions
5. Re: Security: access control at entity level?

a.simonov Jun 4, 2007 9:32 AM (in response to kingcu)
I have two to tables:

Table1 and Table2 . I have mapped them like this:

@Entity @Table(name = "Table1") class Table1{ int id; int level; @OneToMany List<Table2> items } @Entity @Table(name = "Table2") class Table2{ int id; }

I woud like to do a filter for Table2 entity which returns same result as this query returns:
select * from Table2 t2 where (select t1.level from Table1 t1 where t1.id=t2.id)= :accessLevel
Actions
6. Re: Security: access control at entity level?

christian.bauer Jun 4, 2007 11:53 AM (in response to kingcu)

This is not possible. The collection "items" will always be loaded through a join of some key columns (or static formula). You can't redefine the collection loading condition completely, only add to it.
Actions

Go to original post