I am trying to implement a new design to my web-app. I have a lot beans with business methods and facades beans in front of them.
However, adding security made things a little hairy because I have to add security properties to each method. For example, let's say my app has 2 roles - a super user and a regular user.
As a super user you can use all the methods but when acting as a regular user I have to mark all the methods as callable by the operator.
Basically that means that if a regular user wants to find something I have to :
1. put a permission on the facade bean .create()
2. put a permission on the facade bean .findXXX()
3. put a permission on the facade bean .helperMethod()s
3. put a permission on the entity bean .findXXX()
4. put a permission on the entity bean .helperMethod()s
This is the typical <use-caller-identity />.
One approach is to have internal roles so that the bean can access all the entity bean methods and so on, but the user cannot access the facade beans only with authorization.
This makes the facadebean all powerful - and this is the things that gives me the creeps.
The security is propagating in the application and may get out of the control.
Any ideas on this subject?