-
1. Re: Serialization Exclusions
pmuir Nov 8, 2007 4:33 PM (in response to andres.testi)Not ootb,no. You can restrict what is sent to Seam remoting methods with annotations and on the remote interface for EJB3.
-
2. Re: Serialization Exclusions
andres.testi Nov 12, 2007 8:46 PM (in response to andres.testi)Suppose there are two groups to develop a Seam application. A group in charge of Facelets templates and the other in charge of business logic (session beans and entities). Imagine I have an entity like the next:
@Entity
class BankClient{
public Long getAccountNumber(){...}
}
"accountNumber" is a property only readable by users with the "manager" permission. Suppose a view tier developer adds a text like this in their template:
<h:outputText value="#{bankClient.accountNumber}" />
There is no way to check the view developer doesn't includes restricted properties in the template. The only way to check security constraints on data bean properties is to passing DTOs instead of entities to view layer. A robust design is very hard without a way to restrict properties. The solution would be an annotation like this:
@RestrictProperty("#{s:hasPermission('manager')}")
public Long getAccountNumber(){,,,}
I hope to find an approach like this in a future Seam release.
Best Regards.
-- Andres Testi -
3. Re: Serialization Exclusions
pmuir Nov 13, 2007 6:25 AM (in response to andres.testi)Err, this is what @Restrict does if you are using Seam components.
-
4. Re: Serialization Exclusions
andres.testi Nov 13, 2007 6:56 AM (in response to andres.testi)pete, @Restrict acts only over @Name marked components and is intended for life-cycle methods and does not for serialization and properties. If I annotate a getter with @Restrict, the setter is not marked. And if I don't put an @Name annotation over an entity, it is not restricted.
-
5. Re: Serialization Exclusions
andres.testi Nov 13, 2007 7:12 AM (in response to andres.testi)Suppose I have a session bean working as backing bean. I don't want to enable the Facelet template access to property "accountNumber", but I want to enable my session bean to manage "accountNumber". @Restrict doen't work in this way. If my action method in the baking session bean is like this:
void updateBankClient(){
int number = createAccountNumber();
bankClient.setAccountNumber(number);
em.update(bankClient);
}
an exception will be raised if I work with @Restrict. -
6. Re: Serialization Exclusions
pmuir Nov 13, 2007 7:29 AM (in response to andres.testi)Raise a feature request and see what Shane says.