users@glassfish.java.net

Re: User problems

From: Stijn de Witt <StijnDeWitt_at_chello.nl>
Date: Wed, 5 May 2010 17:28:37 +0200

Personally for my project I am separating authorization logic and business logic by using a very small Account entity.

So I have an Account entity mapped to table 'accounts' with a username and a password and I have a Group entity mapped to table 'groups' with (as of yet) only a name. I then have a m-to-n mapping table 'memberships' with fields username (foreign key to accounts.username) and groupid (foreign key to groups.name), together forming the primary key.

This maps well onto the JDBCRealm implementation of Glassfish, enabling JAAS security to be easily used.

Then I create separate Entities for the people in the application. For example a Person entity mapped to table 'people' with an account column that's a foreign key to account.username.

This way you can implement authorization completely separate from your business logic. If you create default groups such as 'Customer', 'Staff', 'Boss' etc and map those to equally named roles in sun-web.xml then you can make a Staff member a Boss by just adding that Person to that Group.

This also gives you the advantage that you can use the standard Java api for determining wheter controls on a page (for example a delete button) should be visible for the current user:

    if (request.isUserInRole('Boss')) {
     // render controls that only Bosses may use
    }

Hope this helps,

-Stijn

  ----- Original Message -----
  From: Eve Pokua
  To: ejb glassfish ; java persistglassfish glassfish ; glassfish users GFusers
  Sent: Wednesday, May 05, 2010 4:56 PM
  Subject: User problems


  Hello,
   
   I have JEE 5 application which has an entity class for staff, status and customer.
   
  The customer and staff class also contain similar fields such as address and telephone number.
  I separated the staff and customer entity b'cos I wanted to separate where they can have
  access. The status entity relates to the staff b'cos a member of staff is either a 'boss', 'manager'
  or a co-worker. This will help me manage which members of staff access where in the application.
   
  I have seen applications which only has User as the entity and 'address' for any User's address.
  So the User entity contains details of customers and staff. Then Realms is used to manage the
  Users as to what they can do within the system.
   
  The role of normalisation is not to repeat data so I know I am repeating data by have
  Staff and Customer with repeated fields such as address and phone no. Could
  somebody advice me on how to address this issue.
   
  Thanks
   
  eve


------------------------------------------------------------------------------
  Get a free e-mail account with Hotmail. Sign-up now.