It's not a secret anymore!
The moose likes OO, Patterns, UML and Refactoring and the fly likes Resrouces needed for a data filter pattern or Framework Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Head First Android this week in the Android forum!
JavaRanch » Java Forums » Engineering » OO, Patterns, UML and Refactoring
Bookmark "Resrouces needed for a data filter pattern or Framework" Watch "Resrouces needed for a data filter pattern or Framework" New topic

Resrouces needed for a data filter pattern or Framework

John Bateman
Ranch Hand

Joined: Mar 09, 2000
Posts: 320
I'm building an enterprise enabled (EJB etc) solution for my company. (Well my team is.. )
The problem we have now is that 'security' constraints have blown way out of proportion to initial documents.
Initially using the application server's built in security was sufficient. I.E. If this role then execute this method. If you had the proper role to get a list of clients for your division you would be able to see all the clients returned, and, edit them all you wanted. (Kind of like the honour system).
Now we need to be more selective. If you, as a user, creates a client only the users in your division can see them. Also only you or someone higher than you in the 'roles hierarchy' can modify or delete this client. Additionally anyone lower then your on the role hierarchy could have SOME of the information with this client hidden.
In effect I'm filtering the data already returned by the DB/app server.
Now I've analysed some methods of using bitmasks and performing logical operations, but I think my experience is falling a bit short on a real robust solution, even though I do have one. (Too lengthly to post here).
What I was wondering is if anyone has built or bought a 'security' or filtering tool to handle just these kinds of scenarios.
Thank you for your help in advance.

SOURCE CODE should be SURROUNDED by "code" tags.
Ulrich Winter

Joined: Feb 19, 2002
Posts: 6
There'S a commercial product I've heard about: NGS BeanGuard. (
But I did't try it yet.
Bill Siggelkow
Ranch Hand

Joined: Jun 27, 2001
Posts: 57
I have built such a permissions framework in the past. Our requirements were very detailed and expected a lot out of the framework. In general, what we ended up with worked, however, it's complexity and administrative requirements proved to be the framework's achilles heel.
Basically, I would be careful about trying to build a generic security system ... I think you will find that in most cases you want something relatively simple to handle the obvious security constraints -- then let the application code doll out the specific business-driven security constraints.
Using a bit mask-type approach is a good idea ... this is essentially analogous to the Unix security approach ... also, you may want to look into JAAS (Java Authentication and Authorization Service) ... finally, try and find out exactly what your user's are looking for ... help them understand the difference between security and data accessibility.
I have found that in many cases, a role-based security mechanism provides the most flexibility.

Bill Siggelkow
Jade Cove Solutions
Meera Chandrasekaran

Joined: Jan 08, 2002
Posts: 10
Hi John,
My team had built something like what you are looking for 3 yr ago. We did not have support from application servers then and hence had to do things from scratch.
we stored all kinds of combinations of permissions in terms of rules and stored it in db.
(may be XML now) and then built a rule engine.
(implementation was a tree based algorithm)
Any display on the browser, whether it is a field based access control,or an operation (update/edit/delete) or showing/not showing a functionality itself - had to depend on this rule engine, ie, if and only if rule engine returns true for hasPermission(...), will a particular element come up on the screen.
Also, I have worked with security in the context of application servers at the moment. But I am not sure whether this level of customization is available with the application server based security framework
I agree. Here's the link:
subject: Resrouces needed for a data filter pattern or Framework
It's not a secret anymore!