Ever wished that there was a simple way for you to declare that each
user can only access his own profile, just as easily as you can
declare that only users with admin role can edit certain type of data?
Well too bad since such a thing has never existed so you've just
resorted to making programmatic checks and building the queries in
your service to enforce data instance security. Until now of course:
meet ERBAC (Entity-Relationship Based Access Control), the long lost
cousin of RBAC (Role Based Access Control)!
Would it not be great if you could write something like:
@Entity
@RequiresAssociation("owner")
public class Account {
@OneToOne
private User owner;
}
And be assured that EntityManager.merge() would fail even if somebody
manually replaced the entity id somewhere along the way? Wouldn't it
be equally cool if you could just do EntityManager.find(Account.class,
null) to fetch the right Account for the currently logged-in user? If
securing data instances have been causing gray hair for you before and
you happen to be using JPA, you should definitely checkout Tynamo's
latest module, tapestry-security-jpa
(http://tynamo.org/tapestry-security-jpa+guide).
On a related note, if you happen to live in SF Bay Area, I'll be
talking about ERBAC, federated accounts, tapestry-security and using
Shiro in modern Java web applications in an upcoming Shiro JUG meet-up
(http://www.meetup.com/Apache-Shiro-Meetup/events/66880732/) this
Wednesday, graciously sponsored by Stormpath, Inc.!
Enjoy,
Kalle and the rest of Tynamo team
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org
