When used with a presentation tier, the actual Business Delegate components live in the presentation tier.
An example is the case with "BD.listItinerary(customerId)".
*)Whenever this method is invoked by travelagent to lookup for list of customer's itinerary, it is absolutely fine as the TA has the right to do so.
*)But whenever this method is invoked by a customer(after he logged on), he might be retrieving information from other users.
The solution I could think of:
1)provide different BD interface for each role.
-customer role accesses: BD.listItinerary()
-travel agent role accesses: BD.listItineary(customerId)
2)Or perform programmatical security check for each method if we supply the same interface:
-customer gives wrong customerId during BD.listItinerary(customerId) will raise security exception.
Looking at it this way, defining different BD is the way I went with