6 Replies Latest reply on Nov 13, 2007 7:29 AM by Pete Muir

    Serialization Exclusions

    Andrés Testi Newbie

      Hi people:

      In order to avoid the declaration of DTOs when I try to send my bussines beans to another context (for example, retrieving beans with Remote EJB or Web Remoting). In order to check security constraints, I would like to exclude properties depending on the permissions of the user logged on, mixin the way as @WebRemote and @Restrict works. I would like to annotate my Entities in the next way:

      @Name("person")
      class Person implements Serializable{

      ....
      @SerializeWhen("#{s:hasPermission('manager')}")
      List getFriends(){....}

      }

      We can detect "Serialization Gateways", like an EJB remote call or WebRemote call, and perform an implicit invocation of a "serializeWithRestrictions()" method to serialize only the permissed properties.

      Are there a way to perform a checking like this in Seam?

      Thank You!

        • 1. Re: Serialization Exclusions
          Pete Muir Master

          Not ootb,no. You can restrict what is sent to Seam remoting methods with annotations and on the remote interface for EJB3.

          • 2. Re: Serialization Exclusions
            Andrés Testi Newbie

            Suppose there are two groups to develop a Seam application. A group in charge of Facelets templates and the other in charge of business logic (session beans and entities). Imagine I have an entity like the next:

            @Entity
            class BankClient{

            public Long getAccountNumber(){...}

            }

            "accountNumber" is a property only readable by users with the "manager" permission. Suppose a view tier developer adds a text like this in their template:

            <h:outputText value="#{bankClient.accountNumber}" />

            There is no way to check the view developer doesn't includes restricted properties in the template. The only way to check security constraints on data bean properties is to passing DTOs instead of entities to view layer. A robust design is very hard without a way to restrict properties. The solution would be an annotation like this:

            @RestrictProperty("#{s:hasPermission('manager')}")
            public Long getAccountNumber(){,,,}

            I hope to find an approach like this in a future Seam release.

            Best Regards.

            -- Andres Testi

            • 3. Re: Serialization Exclusions
              Pete Muir Master

              Err, this is what @Restrict does if you are using Seam components.

              • 4. Re: Serialization Exclusions
                Andrés Testi Newbie

                pete, @Restrict acts only over @Name marked components and is intended for life-cycle methods and does not for serialization and properties. If I annotate a getter with @Restrict, the setter is not marked. And if I don't put an @Name annotation over an entity, it is not restricted.

                • 5. Re: Serialization Exclusions
                  Andrés Testi Newbie

                  Suppose I have a session bean working as backing bean. I don't want to enable the Facelet template access to property "accountNumber", but I want to enable my session bean to manage "accountNumber". @Restrict doen't work in this way. If my action method in the baking session bean is like this:

                  void updateBankClient(){
                  int number = createAccountNumber();
                  bankClient.setAccountNumber(number);
                  em.update(bankClient);
                  }

                  an exception will be raised if I work with @Restrict.

                  • 6. Re: Serialization Exclusions
                    Pete Muir Master

                    Raise a feature request and see what Shane says.