I'm working in MVC application. I need to put/pass couple of values in the controller level and retrieve the same in the service or business layer or persistence layer.
Few said we need to defined security context which is accessible in presentation or in any layer.
Please let me know how to define and access it. Is there is a better way then security context?
Thanks.
Related
I am working on a application with a layered architecture:
Presentation - Service - Data Access
Many of the modules at this service layer need access the currently logged in user. Is it a good idea to have these modules directly access the security context to obtain the UserDetails object?
I'm thinking that if in the future modules from the Service layer need to be exposed to other application as a Web Services, getting the Security Context may not work.
You'd need to be more specific, but you generally shouldn't have the whole stack directly accessing authentication information. Instead, if it's an operation where using aspect-oriented method security isn't applicable, pass the user information to service layers as ordinary method parameters. Use appropriate mechanisms (such as #AuthenticationPrincipal) to cleanly supply authentication information to your top-level facade (Web tier or what have you).
I have the following scenario in my application.
There are multiple controllers and views. There is no login/logout functionality and no traditional username/password stuff. The application does some logic on incoming requests directly (no authentication/authorization).
As the user goes through controllers and views, I need to persist the user specific data at some place. This is needed as I need to refer to this until the user is completely out of the application. Basically I need to persist user data without any authentication/authorization functionality.
Shall I go for the traditional HttpSession or Spring's #SessionAttribute to store the required details? Or is there any other better way to do this?
Thanks in advance!
I am about to start creating a new application and wanted to get some feedback on the approach I plan on using. We will be using spring and spring data jpa.
Can controllers call domain services and repositories or should the controller only make calls to application and infrastructure services?
If its "ok" to call domain services and repositories from a controller and a domain service operation needs a transaction, can/should I just put the #Transactional annotation on the domain service method? Or should I have an application service that wraps the call (not sure I like this approach because you would end up with a bunch of pass through methods)?
If its not "ok" to call domain services and repositories from a controller do I need to create application services to wrap all possible domain service calls(like I said in 2 that could be a lot of pass through methods)?
The best solution I can come up with is something like the following:
Repositories will have the #Transactional annotation with propagation REQUIRED when writing to the database and propagation set to readOnly=true and propagation set to SUPPORTS when reading from the database.
Application and Domain Services will add the #Transactional annotation as needed
If the controller ever needs to make make a direct call to a repository a domain service or an application service it can. No pass throughs.
I am not clear for your question. What is the Domain Services doing? I knew Application Services and Domain Repositories very well.
In spring , there are two layers service and data access layer.
Service layer can used #Service (In your design it will be application Services) but not used #Transactional Tag.
Data access layer used #Repository Tag and also #Transactional Tag, Because This layer is directly connected and make operation with the Database. So, I like to know what 's function of the Domain Service. I am not clear for that.
Thanks buddy.
I personally would only access your domain and application services from your controllers. That way you only have to put #Transactional annotations at one "level". You get transactionality out of the box at your repository layer if you're extending the regular Spring Data repository interfaces. I would leave that layer as simple as possible. Put your readOnly and other configuration at the service layer.
Creating "pass through" methods allows you more flexibility down the road too if you ever decide to change your DAO implementation.
I have following architecture in my application.
Client (GWT) <--calls--> Servlet <--calls--> Service <--calls--> Dao
I want to make this architecture easier for changes.
For example: when I want return the inserted id of an object from the Dao layer, because I need it in the client, I have to update the service and the servlet layer as well. So for this little change I have to update all 3 layers (3 classes and 3 interfaces) makes a change on 6 places.
I see why I need the Dao Layer.
I also get why I need the service layer.
What I don't get is why the service layer can't also be a servlet. At the moment all my servlets do is forwarding the request to the service layer.
The Wikipedia Article about Java Servlets says:
Servlets are most often used to
1 process or store data that was submitted from an HTML form
2 provide dynamic content such as the results of a database query
3 manage state information that does not exist in the stateless HTTP protocol
1 and 2 are just database calls, which I make in my dao layer and the service layer makes extra business logic already possible.
3 I am currently not working with sessions. I don't have a login so far and I am just playing around with my architecture, but I think the service layer could handle this as well.
I want to know the cos and pros for this architecture change:
pros:
One layer less to update if a change happens.
cons
Service Layer gets complexer.
Thx for your answers.
You need the servlet layer because that is what allows access to the session.
Also, you don't want your service layer to need to know anything about HTTP since you want to be able to re-use the service and DAO layers in other applications (e.g. if you write a desktop application re-using those layers) and needing to include the servlet API would not make sense there.
If needed you could call the DAO layer directly from a servlet for simple cases in order to not duplicate methods in the service and DAO layers.
The servlet API has filters which are a good place to implement security in your web application.
You can use Spring Security if you are already using the Spring framework for your web application.
Can somebody point me a good strategy for security crosscutting concern without AOP for a JSF-Spring-Hibernate web application?
Security context (in user's web session) must be accesible in Business (for rules and authorization) and Data Access Layer (to store user name in BD)
I can use Spring IOC but my boss doesn't allow me to use AOP.
You could use Spring Security's SecurityContextHolder which uses a ThreadLocal to store the current user's credentials. Then you can just access it as necessary from the business layer and the DAOs, at the cost of coupling these to the Spring framework.
You can use Java EE Interceptors but it might be little more difficult to set up than Spring AOP since you are already using Spring stack.