Java Reference
In-Depth Information
Using web tier security
Some applications can get away with only enforcing security in the presentation
tier. The
POJO
façade assumes that any security checks have been done by the pre-
sentation tier and does not do any itself. The presentation tier can use the security
mechanisms provided by the web container to control access to web pages based
on the user's identity or role. It can, for example, declaratively specify that a user
must be in a particular role to access a
URL
. Also, the presentation tier can call
HttpServletRequest
methods that return the identity of the user and test whether
the user is in a particular role.
Implementing security with Acegi Security
Although web tier-only security is adequate for some applications, many applica-
tions require security to be handled in the business tier. For example, an applica-
tion with more stringent security requirements might not be able to assume that
the presentation tier will do the right thing. Alternatively, it might have business
logic that does different things depending on the caller's identity. One way to
implement security with
POJO
business logic is to use Acegi Security, which pro-
vides security for Spring applications. We're only going to briefly describe a few of
the features of this comprehensive framework, so for more information see the
reference [Acegi].
Acegi Security provides the several options for storing the users and their
roles. You can configure it to use the security infrastructure provided by the
underlying web container or application. Alternatively, Acegi Security can main-
tain the user and role information itself—in a database, for example. One key
thing to remember is that Acegi Security has a very flexible architecture that
enables it to support a wide range of applications.
Acegi Security has an
AOP
-based mechanism that can be used to verify that the
caller has permission to invoke a
POJO
façade method. You can, for example, use
the
MethodSecurityInterceptor
class, which is a Spring
AOP
interceptor, to inter-
cept calls to a
POJO
and throw an exception if the caller is not authorized. You
configure
MethodSecurityInterceptor
as a Spring bean in almost the same way
you would configure a Spring
TransactionInterceptor
. As part of its definition in
the
XML
configuration file, you specify the roles that are allowed to invoke each
method. You would also use a Spring
AOP
proxy creator such as
BeanNameProxy-
Creator
to apply the
MethodSecurityInterceptor
to a particular
POJO
façade.
Acegi Security also has a
SecurityContextHolder
class, which defines static
methods for obtaining the caller's identity and roles. In the same way that an
EJB
can get information about the caller from the
EJBContext
,
POJO
business logic
Search WWH ::
Custom Search