[jboss-user] [JBoss Seam] - Re: Feature request: Fine-grained entity security

gavin.king@jboss.com do-not-reply at jboss.com
Sun Mar 18 20:32:59 EDT 2007

You can definitely write a JPA interceptor which checks actual field values using equals() during an update operation. (In theory you should really use Type.isDirty() in Hibernate, but that's not portable.)

So you would require that the user annotate entity attributes with @Restrict, and imply a permission like (customer, name) from that. Then the interceptor would look at the fields annotated @Restrict and check the permission when the entity is updated.

The thing which makes me a bit skeptical of this stuff is that there would only be field-level permissions for update operations, not for read, create, delete. 

I suppose you could interpret a field-level permission during create as meaning that it gets checked if it is non-null.

But read would be *very* difficult to do.

Shane, I don't see how Hibernate Validator would help.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4029168#4029168

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4029168

More information about the jboss-user mailing list