Help save net neutrality! Learn more.
Close

#2 Object Level Security

open
nobody
None
5
2009-04-27
2009-04-27
No

Hi,

I need to secure my WS with object level security: all users have to be authenticated by the web server (tomcat). RestEasy easily checks if the role (e.g. user) exists for the user. But then I need to also check that the object Account is associated with the "logged on user". I have used something as follows. Anyone has an idea on what would be the best way to implement (maybe with interceptors).

Thanks,

Assaf

@GET
@Path("{id}")
@Produces("text/xml")
@RolesAllowed("user")
public Account getAccount(@Context SecurityContext security, @PathParam("id") int id) {

// get the account object
Account account = xxxx

// now manually call on a function to check if the account belongs to this user
if (!account.isAccessible(security)){
// it does not so throw an exception
throw new Exception....
}

return account;

}

Discussion