This week I attended the conference “herbstcampus” in Nürnberg (Germany). There were several great sessions and workshops about Java and the like.
One great session was from Arne Limburg from OpenKnowledge about security access controlling and management in Java. In this very clear and unbiased comparison he lists solutions for
- user based access control (JAAS)
- role based access control (EJB and Spring Security)
- access control lists (Spring Security)
They have different advantages and problems. Now the point of this post is that he develops the JPASecurity (Apache 2 license), which solves the problem that you sometimes need to restrict the access on objects (not only on classes).
One example why I think this is a great tool:
With JPASecurity it is possible to receive only those objects from the database (via JPA) which are allowed for the current user. That means it does not load all objects into memory and filters the unallowed. It simply queries only the necessary objects! Get started with his tutorial.