Originally posted by Dale Seng:
If the code above is in an EJB, the only way to change it would be for the person to be able to redeploy the bean.
Ok. Let's suppose I do it like that. Would you put the code above into an entity bean directly, or into a session facade instead? And what if the roles required to access the rows are not known in advance, but can be assigned dynamically after deployment (stored in a table, etc.)? How would you do it?
If you are worried about a normal user somehow getting poweruser status, you have an authentication problem. This is why in many environments, the developers don't manage their own roles (develpers become an 'end-user' when it comes to authentication).
Even if the developers don't manage their roles it does not solve the problem. During development he would simply delete those if-else lines. To return to the original problem my goal is to prevent the users from accessing the db, not the developers.
In one of our older application (a client-server type), we solved it by defining a view for the table. We removed all access privileges from the original table, but allowed everyone to access the view. Every user was connected to the database with his own user id. The view filtered out all unwanted rows from the original table by joining the table with a table containing permission information and with some DB session information (for example user id). This way even if someone could modify the data access code or write his own client sw, cannot see any of the unwanted rows, because it was forbidden in the database level. The problem with this approach in a J2EE environment is that a user does not himself connect to the database, but the connection is acquired from a connection pool. Is it possible to somehow "impersonate" a connection in J2EE?
Problem #2:
We've got another design problem related to the previous one. Our application displays customer information in the browser. For example it displays the account number of the customer. There are some VIP customers, whose account number must not be displayed if the current user is not a poweruser. Where would you do the filtering? In an entity bean, when customer info is retrieved, or in a
JSP where it is displayed, or somewhere between the middle? Whose responsibility is it?
[ June 24, 2004: Message edited by: Roger Adams ]