3 Replies Latest reply on Jun 12, 2009 5:30 AM by yahawari

    Restrict on class rather than entity

    yahawari
    yahawari May 31, 2009 4:28 AM

      hi all,


      i hope that someone can help me in this.


      i need to apply @Restrict on an entity class like 


      @Entity
@Restrict 
public class SimpleTask{ 
...
}



      i don't want to include any EL expr after restrict so that it will default the check to entity:action, where action is read, update, insert or delete  (as suggested by seam reference page 279, seam 2.1.1)  


      my problem is with entity part. i want to have a class wide restriction not entity/object specific restriction.


      to clarify, the code above results in seam trying to check a premission for SimpleTask:id   as a target  no SimpleTask only.


      can someone help me please. i don't want to create a permission for each and every object of class SimpleTask.

      • 219 Views
      • Tags:
        • 1. Re: Restrict on class rather than entity
          joblini
          joblini Jun 12, 2009 12:55 AM (in response to yahawari)

          Hi Yasser, any luck with this?  I am trying to do the same thing.

            • Actions
          • 2. Re: Restrict on class rather than entity
            joblini
            joblini Jun 12, 2009 1:00 AM (in response to yahawari)

            The best I have come up with so far is:


            @Restrict("#{s:hasPermission('Stakeholder','read')}")
@PostLoad
public void postLoad() {
     System.out.println("Stakeholder.postLoad()");
}



            Seams as though there must be a better way (no pun intended) ...

              • Actions
            • 3. Re: Restrict on class rather than entity
              yahawari
              yahawari Jun 12, 2009 5:30 AM (in response to yahawari)

              hi Ingo,


              that was my best shot as well. i also added the following to the entity definition so that i can query which permissions apply to this class. 


              @Permissions({
     @Permission(action = "insert"),
     @Permission(action = "delete"),
     @Permission(action = "update"),
     @Permission(action = "read")
     })
@Entity 
public class SimpleTask { 
 ....



              there is another way to do this if u decide to place ur security checking code on a DAO class (like entityHome). u can annotate a function to have certain access to the class in general (SEAM GUIDE 15.6.6 - Typesafe Permission Annotations). 


              for me i have followed the first method which turns to be VERY restricting as it is applied by the entityManager anytime it pulls this class's data (from anywhere). 


              that led me to a new problem :).. my application responds to some of the user actions by doing some other operations which could possible access a class that the user does not have the access rights to :(.


              now i had to create a system user which has a permission to do anything (thanks to drools): 


              rule system_masterPermission
  no-loop
  activation-group "permissions"
when
  check: PermissionCheck(granted == false)
  Role(name == "system")
then
  check.grant();
end



              and now i have to use RunAs to kick start any possibly restricted operation.


              i hope that someone could shed some light on how to do this in a cleaner way




                • Actions