开发者

spring-hibernate service/dao security design query

I am trying to create various services, such as:

UserService
UserPermissionService
AddressBookService

Which would access dao's such as:

UserDao
UserPermissionDao
AddressBookDao开发者_运维知识库
CompanyDao

These will use Spring-Hibernate stack and be packaged in a backend jar for multiple webapps. I want the service functionality to be available depending on the permission of the calling user object. Also, Caller (user) object will have permissions of the calling user.

Query: Should I pass Caller to each Service method call and then check its permission? Or is there a better way using 'Spring/AOP' and/or 'Factory Pattern' where the Caller object can be available to the Service methods.


One of the patterns for this case is to store security token in a ThreadLocal and to require corresponding privilege from that token first thing in a service method.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜