9.2. Security concept of DbForms

DbForms provides fine-grained definition of rights for data-access and manipulation. DbForms security works directly on tables, not on JSPs. All database operations done by DbForms run through a security check before they get executed.

DbForms allows attaching security constraints to each table defined in the xml-configuration. Listing 5 demonstrates how the problem described above could be solved using DbFormss built-in-security concept:

    <table name="customer" >
      <field name="id" fieldType="int" isKey="true" />
      <field name="firstname" fieldType="char" />
      <field name="lastname" fieldType="char" />
      <field name="address" fieldType="char" />                                

        select = "A,B"
        insert = "A"
        update = "A,B"
        delete = "A"

The attributes of the <granted-privileges> element tell DbForms:

This is exactly what we needed to solve the problem!

Nota bene: not all attributes must be specified explicitly. If, for instance, all users may have read access to a table, the select attribute needs not to be declared. A missing attribute does not generate an error but implicates access for all groups (which may be useful if there are dozen's of roles)

If a <table>-element does not contain a <granted-privileges>-element, then all users have full read write - access to this table.

If a user tries to execute an operation beyond his/her access rights, an SQL-Error will be triggered and (if a <db:errors/> tag is placed on the view) displayed to the user.

Note: current action buttons are not aware of security (i.e. a delete button will get rendered independently of the users right to delete data from the table)