A
AccessControlPermission represents an atomic permission of the application. Each operation (use-case)
should have its own
permission. These operations are secured referencing the
ID of the
permission. We do this by annotating the operation method
with
RolesAllowed (from JSR 250). Please do not get confused by the name
RolesAllowed as we are not assigning roles (see also
AccessControlGroup)
but
permissions instead. We want to use Java standards (such as
RolesAllowed) where suitable but assigning the allowed roles to a method would end
up in unmaintainable system configurations if your application reaches a certain complexity.
If a user is logged in and wants to invoke the operation he needs to own the required permission. Therefore his
AccessControlGroups (resp. roles) have to contain the
permission
directly or
indirectly.
In order to avoid naming clashes you should use the name of the application component as prefix of the permission.