Blog from Jun 03, 2012

Ever wished that there was a simple way for you to declare that each user can only access his own profile, just as easily as you can declare that only users with admin role can edit certain type of data? Well too bad since such a thing has never existed so you've just resorted to making programmatic checks and building the queries in your service to enforce data instance security. Until now of course: meet ERBAC (Entity-Relationship Based Access Control), the long lost cousin of RBAC (Role Based Access Control)!
Would it not be great if you could write something like:

And be assured that EntityManager.merge() would fail even if somebody manually replaced the entity id somewhere along the way? Wouldn't it be equally cool if you could just do EntityManager.find(Account.class, null) to fetch the right Account for the currently logged-in user? If securing data instances have been causing gray hair for you before and you happen to be using JPA, you should definitely checkout Tynamo's latest module, tapestry-security-jpa.
On a related note, if you happen to live in SF Bay Area, I'll be talking about ERBAC, federated accounts, tapestry-security and using Shiro in modern Java web applications in an upcoming Shiro JUG meet-up this Wednesday, graciously sponsored by Stormpath, Inc.!