[jboss-user] [JBoss Seam] - Re: Serialization Exclusions
andres.testi
do-not-reply at jboss.com
Mon Nov 12 20:46:43 EST 2007
Suppose there are two groups to develop a Seam application. A group in charge of Facelets templates and the other in charge of business logic (session beans and entities). Imagine I have an entity like the next:
@Entity
class BankClient{
public Long getAccountNumber(){...}
}
"accountNumber" is a property only readable by users with the "manager" permission. Suppose a view tier developer adds a text like this in their template:
<h:outputText value="#{bankClient.accountNumber}" />
There is no way to check the view developer doesn't includes restricted properties in the template. The only way to check security constraints on data bean properties is to passing DTOs instead of entities to view layer. A robust design is very hard without a way to restrict properties. The solution would be an annotation like this:
@RestrictProperty("#{s:hasPermission('manager')}")
public Long getAccountNumber(){,,,}
I hope to find an approach like this in a future Seam release.
Best Regards.
-- Andres Testi
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4103922#4103922
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4103922
More information about the jboss-user
mailing list