Implementing Permission Checks

Now that your guestbook and guestbook entry web services exist, you must implement permission checks for them. Implementing permission checks for a web service ensures that only users with the correct permissions can invoke the web service. To implement permission checks in your remote services, you’ll use the GuestbookModelPermission, GuestbookPermission, and EntryPermission helper classes that you created earlier. These classes provide helper methods for checking permissions. The helper methods in GuestbookModelPermission check top-level model permissions. For example, you can use GuestbookModelPermission’s helper methods to check if a user can add a new guestbook or guestbook entry. If, on the other hand, you must check if a user can update or delete an existing guestbook or guestbook entry, you’ll use GuestbookPermission or EntryPermission.

Once you’ve secured your remote services with permission checks, you’ll update your portlet classes to call remote services instead of local services. This prevents attackers from trying to bypass your app’s UI by playing with URL parameters to access sensitive portions of your app.

Let’s Go!