Re: User-specific security restrictions
Monday, December 10, 2001 10:56 AM
well, you assign security roles to groups and not users and therefore you cannot do what you are doing directly in the way you are thinking. but you have to change your thinking. in order to do what you are trying to do, you should not access entity beans directly but through a session facade. I mean, you can access it directly but I will give you a solution that better works if you have a session facade for the entity bean. create a session bean which purpose is to update user information. have its create method take Customer or User object as a parameter so that there is no way to create session bean without the Customer or User object. that way, session facade has a simple interface getUserInformation(), for instance, without passing any parameters since internally session bean knows who the user is (you passed it to the create() method). an interface would also contain something like updateUserInformation(UserDetails ud) and again session bean takes care of the fact which user information is updateed. with a scheme like this, a user can always update his/her own information and no one else's. so with a careful design you can accomplish your requirements.