Suppose there are two groups to develop a Seam application. A group in charge of Facelets
templates and the other in charge of business logic (session beans and entities). Imagine
I have an entity like the next:
@Entity
class BankClient{
public Long getAccountNumber(){...}
}
"accountNumber" is a property only readable by users with the
"manager" permission. Suppose a view tier developer adds a text like this in
their template:
<h:outputText value="#{bankClient.accountNumber}" />
There is no way to check the view developer doesn't includes restricted properties in
the template. The only way to check security constraints on data bean properties is to
passing DTOs instead of entities to view layer. A robust design is very hard without a way
to restrict properties. The solution would be an annotation like this:
@RestrictProperty("#{s:hasPermission('manager')}")
public Long getAccountNumber(){,,,}
I hope to find an approach like this in a future Seam release.
Best Regards.
-- Andres Testi
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4103922#...
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...