My application has announcement functionality that allows certain users to publish announcements on the website. I plan on using the J2EE security roles to define the roles that are allowed to execute these methods - like postAnnouncement().
This is great and with EJBs I can do this all without any extra programming. But is there a good way to leverage the security model so that I can specify (in an xml file?) what roles can send what types of announcements?
For example, I may have a 'SALES ANNOUNEMENTS' security role that I define as having permissions to send announcements only to sales people. I could hardcode my postAnnouncement() method to say:
if role == 'SALES ANNOUNCEMENTS' then send to 'SALES GROUP'.
Of course I want this to be a dynamic rules based system so I will have to create a db table to map this role to the groups its allowed to send to.
Is there a slick way to use the J2EE security model to handle this instead? Beyond specifying what roles can call what methods, is there a pattern that goes further to define what data/constants can be used within that method?