Java Reference
In-Depth Information
• Spring Security does not intrude into the application code. In fact, it can be
applied without the application code having any knowledge about it.
• Authenticated users can access only a subset of the application resources based on
their roles.
Concerns
• You need to know about a lot of classes, interfaces, and above all configuration
items. This adds to the development and maintenance overhead.
Audit Interceptor
Problem
The auditing of business tier method invocation is a common requirement in most enter-
prise applications. This involves tracing the input arguments as well as the return values.
The audit trail information can be later utilized for analysis in the case of any security
lapses. Because this data may be needed for future reference, it is stored in a permanent
store such as a filesystem or database. The audit trailing feature is applied at the business
tier because it is the gateway to the business logic and can be accessed by a variety of
clients.
Since eInsure handled sensitive financial data, it too implemented an audit trail fea-
ture. This was used in the SLSBs. The audit trail API saved the method arguments and
returned results in the database. This was also inflexible and mixed the business logic
with the security concerns. This coupling led to frequent code changes as eInsure tried
to fit in a customer-specific audit trail requirement. The SLSB in the eInsure application
internally invoked multiple other session bean methods, each of which also used the
audit trail API. Since the audit data was saved in the database, it increased the transac-
tional overhead and degraded response time.
The eInsure audit trail API was hardly configurable. As a result, it was difficult to
switch on/off the audit trailing as and when required. It also did not allow the flexibility
to filter what was being logged. For example, in certain cases you may not be interested
to log only the values being passed to a method as arguments and not the value returned
by the method. Also, you may not want to log all the values in the returned object. The
eInsure audit trail also required that the incoming and outgoing objects must implement
the
toString
method. Though this is a good practice, it often clutters code with long lines
of calls to
StringBuffer.append
or those using
String
concatenation.
