Suppose I have a simple model, such as "Record":
@Model
public class Record {
private Principal owner; // presume getter/setters as well
}
Then I want to have a simple EJB that controls creating and deleting records. For the sake of argument let's only worry about deleting:
@EJB
@Named
@Stateless
public class RecordMgr {
@PersistenceContext private EntityManager em;
public void delete(Record r) {
em.remove(r);
}
}
I want to restrict access to RecordMgr#delete(Record r) to administrators and the owner: in other words, admins and the people who created the object, and only them, can delete it. I don't see how to accomplish both of these with declarative security. What's the right way to approach this problem?
You cannot do that with declarative security, because there is no way to have connection between role in @RolesAllowed and user that created entity.
Only way is programmatic security and checking that user is creator of bean or Administrator, or both.
Only part where you could utilize declarative security is to list roles that are aloud to create such a record, and administrator role. After that it have to be programmatically checked further that current user's role is administrator or that current user created record. In any case whole logic of declarative security is then duplicated in programmatic security.