spring-hibernate service/dao security design query
I am trying to create various services, such as:
UserService
UserPermissionService
AddressBookService
Which would access dao's such as:
UserDao
UserPermissionDao
AddressBookDao开发者_运维知识库
CompanyDao
These will use Spring-Hibernate stack and be packaged in a backend jar for multiple webapps. I want the service functionality to be available depending on the permission of the calling user object. Also, Caller (user) object will have permissions of the calling user.
Query: Should I pass Caller to each Service method call and then check its permission? Or is there a better way using 'Spring/AOP' and/or 'Factory Pattern' where the Caller object can be available to the Service methods.
One of the patterns for this case is to store security token in a ThreadLocal and to require corresponding privilege from that token first thing in a service method.
精彩评论