Client Level Security in J2EE?
We are starting a new J2EE project for a personnel system in my office. Obviously certain users will have read and some read/write on our main personnel bean. Our problem occurs when we want to give a person write permission on a person in an office. In other words I can make write changes to all people in Office A, but not Office B.
Office would be a field in our Personnel table and it would be a foreign key to our Office table.
So I see us having a personnel entity bean and an office entity bean, problably with a bidirectional relationship.
I know for a fact that we could create roles in J2EE and assign users permissions to each method in the Personnel bean. For example I would give myself permission to call setLastName() on the personnel bean, but this now allows me to call this method on all personnel beans and not just the personnel beans where the office = to Office A.
I know I could write some of this logic directly into the bean, or place this logic somewhere on the client, but I want to know if anyone else has run into this and/or there is a pattern to handle this problem.
Any and all replies are welcome.
Thanks
