Announcement

**Isomorphic** · 3 Jun 2010, 05:40

No. You should protect them via a custom IDACall servlet that rejects requests to those DataSource IDs, or, if using declarative security, by adding requiresRole="superuser" and only giving the "superuser" role to admins.

**paperclip** · 3 Jun 2010, 06:06

Thank you for the reply isomorphic;

Originally posted by Isomorphic

if using declarative security, by adding requiresRole="superuser" and only giving the "superuser" role to admins.

Can you elaborate on this point please? I am using declarative security (form authentication), but in all cases, no user (regular or superuser) should be able to access them. These datasources do house keeping jobs that only the server should be able to invoke under specific conditions.

**Isomorphic** · 3 Jun 2010, 06:15

If they are truly internal functions, just protect them via the IDACall approach. However it frequently turns out that internal functions are very valuable for a superuser to access to diagnose or fix a problem.

**paperclip** · 3 Jun 2010, 06:25

yes that is actually true. I would like to use requiresRole, but would it still work if a non-admin user was logged in? I am assuming putting requiresRole="superuser" in the datasource calls isUserInRole() on the server, which would return false in this case?

BTW, on the server, i use RPCManager.getDataSource() to instantiate and use the "server only" datasource.

**Isomorphic** · 3 Jun 2010, 06:27

That's correct - just see the docs for requiresRole and related properties, it explains this.

**paperclip** · 3 Jun 2010, 06:59

Thanks for the pointers isomorphic;

For anyone else, you can use RPCManager.setUserRoles() to temporary get around the requiresRole="superuser" for that particular queue.

Announcement

server only datasources

Comment

Comment

Comment

Comment

Comment

Comment