Interface for GraphSession, ContextSession and so on ---------------------------------------------------- Key: JBPM-411 URL: http://jira.jboss.com/jira/browse/JBPM-411 Project: JBoss jBPM Issue Type: Feature Request Components: Core Engine Reporter: Thijs Terlouw Assigned To: Tom Baeyens Priority: Optional Original Estimate: 1 hour Remaining Estimate: 1 hour I am introducing security into my webapplication by using the Proxy pattern. For this purpose I made a "SecureJbpmSessionInterceptor extends JbpmSessionInterceptor implements ContextInterceptor" that does basically the same as the JbpmSessionInterceptor, but now provides security by wrapping the Sessions into a Proxy. Example: [SecureJbpmSessionInterceptor] IGraphSession graphSession = jbpmSession.getGraphSession(); IGraphSession secureGraphSession = (IGraphSession) AuthorizationHandler.newInstance(graphSession); ThreadContext.put(taskMgmtSessionKey, secureTaskMgmtSession); //secure version ! Where AuthorizationHandler implements InvocationHandler The proxy pattern is very usefull to provide Security I think, but it needs Interfaces to the classes. That's why I introduced Interfaces: public class GraphSession implements IGraphSession public class TaskMgmtSession implements ITaskMgmtSession, Serializable The IGraphSession and ITaskMgmtSession are automatically generated Interfaces (by the IDE). Because of the usage of Interfaces, it is MUCH easier to extend. I would very much like to emphasize that these classes should also implement an Interface. This allows me to put all the security-checks (based on JAAS) into the AuthorizationHandler, and prevents all the other code from becoming more complex. This is a bit like AOP, but only requires a very simple change to the code: Add some Interfaces in the jbpm.3\src\java.jbpm\org\jbpm\db and make sure that org.jbpm.tc.db.JbpmSessionContext returns the Interfaces like this: public static IGraphSession getGraphSession() { return getGraphSession(GraphSession.class.getName()); }