Tuesday, June 22, 2010

On Insert Security Rule Implementation

As you know, ADF 11g allows to secure read, update, and delete operations on EO level. However there is no default support for insert operation. Typically, developers will go and set Expression Language statements directly on Web page to enable/disable one or another attribute. While this works, it is not good in terms of maintenance. Today I will describe another approach, where I will override isAttributeUpdateable() method on EO to evaluate security rule on insert. I believe, this approach works better comparing to Expression Language on front end, because it allows to secure Model directly. This is especially good, when you are using same EO's in different forms - no need to implement same security rule again.

Download sample application - ProgrammaticSecurity.zip. This sample is enabled with ADF Security and contains two application roles:


I have defined programmatic security rule inside EO implementation class:


Inside EO implementation class, I override isAttributeUpdateable() method. Security rule is applied only for SALARY attribute and only when current row is in insert mode. If current user is not granted with manager role, SALARY attribute will be rendered as disabled:


On runtime I login with user granted only accountant role. As expected, user can edit SALARY attribute values for current employees:


We click Create button - row is in insert mode. Current user don't have permission to enter new SALARY attribute value, while new employee is not yet in database - attribute is rendered as disabled:


When transaction is commited and new employee data is inserted into database, SALARY attribute becomes editable again:

No comments: