Following the directions in the Spring In Action book, I created a small application (only three Java files and two configuration files) so that I could experiment with method-level access control using ACEGI.

However, I continously saw a mysterious message in my log:

Public object - authentication not attempted

So naturally I started looking around the Internet for information about creating private objects. Sadly, there was none. Being stubborn, I downloaded the ACEGI source code to start poking around.

After an hour or so of adding logging messages and tracing the code, I saw the following message in my logging of the MethodDefinitionMap.lookupAttributes method:

...MethodDefinitionMap; this: {...public java.lang.String
com.affy.BeanA.getValue()=[ROLE_FIELD_OPS, ROLE_DIRECTORY,
ROLE_PRESIDENT]}

...MethodDefinitionMap; method: public abstract java.lang.String
com.affy.IBeanA.getValue()

At first I thought the problem lay in the abstract keyword. But then I realized that my Spring configuration file contained:

  <bean id='securityInterceptor' class='...MethodSecurityInterceptor'>
    ...
    <property name='objectDefinitionSource'>
      <value>
        com.affy.BeanA.setValue=ROLE_PRESIDENT
        com.affy.BeanA.getValue=ROLE_FIELD_OPS,ROLE_DIRECTORY,ROLE_PRESIDENT
      </value>
    </property>
 </bean>

The object definition specified the BeanA implementation instead of the Interface. Once I changed to use com.affy.IBean I saw the following message:

...AbstractSecurityInterceptor - Secure object: invocation: method
'setValue', arguments [FOOBAR]; target is of class [com.affy.BeanA];
ConfigAttributes: [ROLE_PRESIDENT]

Now the newly created object was private!

CONCLUSION Use Interfaces in the objectDefinitionSource specification.

I spent this past Monday at a one-day conference devoted to how Information Technology responded to the humanitarian responses of the past year (Katrina, the Tsunami, Darfur, and Afghanistan). For me, the best aspect of the conference was listening to the success stories. One memorable story involves using PDAs to collect information which could be easily collected by the main office.

I re-learned that field conditions are vastly inferior to the conditions under which applications are developed. It's extremely difficult to get *any* kind of staff in locations such as Darfur and even when staff is hired, turnover is very high which pushing training costs higher.

As expected, Data Sharing and Data Standards are a big concern. Yahoo is starting to analyze the existing standards with an eye towards how they can be used for First Responders and other aid workers.

There are fledging open-source applications that are being written (such as Sahana at http://sahana.sourceforge.net/). Plone (http://plone.org/) is being used as a content-management system by several organizations.

In conclusion, at $150 for the day the conference was well worth my time. I highly suggest attending such a conference just to get exposed to how another set of people (non-profit, disaster response teams) do their work.