3 Replies Latest reply on Jun 12, 2009 5:30 AM by Yasser Hawari

    Restrict on class rather than entity

    Yasser Hawari Newbie

      hi all,


      i hope that someone can help me in this.


      i need to apply @Restrict on an entity class like


      @Entity
      @Restrict 
      public class SimpleTask{ 
      ...
      } 
      



      i don't want to include any EL expr after restrict so that it will default the check to entity:action, where action is read, update, insert or delete  (as suggested by seam reference page 279, seam 2.1.1)  


      my problem is with entity part. i want to have a class wide restriction not entity/object specific restriction.


      to clarify, the code above results in seam trying to check a premission for SimpleTask:id   as a target  no SimpleTask only.


      can someone help me please. i don't want to create a permission for each and every object of class SimpleTask.

        • 1. Re: Restrict on class rather than entity
          Ingo Jobling Master

          Hi Yasser, any luck with this?  I am trying to do the same thing.

          • 2. Re: Restrict on class rather than entity
            Ingo Jobling Master

            The best I have come up with so far is:


            @Restrict("#{s:hasPermission('Stakeholder','read')}")
            @PostLoad
            public void postLoad() {
                 System.out.println("Stakeholder.postLoad()");
            }



            Seams as though there must be a better way (no pun intended) ...

            • 3. Re: Restrict on class rather than entity
              Yasser Hawari Newbie

              hi Ingo,


              that was my best shot as well. i also added the following to the entity definition so that i can query which permissions apply to this class.


              @Permissions({
                   @Permission(action = "insert"),
                   @Permission(action = "delete"),
                   @Permission(action = "update"),
                   @Permission(action = "read")
                   })
              @Entity 
              public class SimpleTask { 
               .... 
              



              there is another way to do this if u decide to place ur security checking code on a DAO class (like entityHome). u can annotate a function to have certain access to the class in general (SEAM GUIDE 15.6.6 - Typesafe Permission Annotations). 


              for me i have followed the first method which turns to be VERY restricting as it is applied by the entityManager anytime it pulls this class's data (from anywhere). 


              that led me to a new problem :).. my application responds to some of the user actions by doing some other operations which could possible access a class that the user does not have the access rights to :(.


              now i had to create a system user which has a permission to do anything (thanks to drools):


              rule system_masterPermission
                no-loop
                activation-group "permissions"
              when
                check: PermissionCheck(granted == false)
                Role(name == "system")
              then
                check.grant();
              end
              



              and now i have to use RunAs to kick start any possibly restricted operation.


              i hope that someone could shed some light on how to do this in a cleaner way