Roles/Priviledges in a Spring/Hibernate application

Question

Hi,

In a banking or similar application there are usually several roles defined and associated privileges required (for example a normal user could only do transactions but not post it while a supervisor can verify and post them, sort of maker/checker). We also need to add new roles and privileges in the system (not sure about the latter).

How do you achieve this Role Based access in a Spring/Hibernate application? Especially in terms of scaling up to add new roles/privileges. Can Acegi (I never used it) help? Any other idea would be appreciated that can help me achieve the above.

Thanks,

Answer 1

You could have a look at Ayende's Rhino Security. It should direct you in the right direction or give you some useful insights.

Link to the original post:
http://ayende.com/Blog/archive/2008/01/22/Rhino-Security-Overview-Part-I.aspx

Link to all posts tagged Rhino Security on his blog:
http://ayende.com/Blog/category/548.aspx

Answer 2

Yes, Spring Security (formerly known as ACEGI) can do it.

Answer 3

As duffymo mentioned, Acegi has been renamed to "Spring Security" and it's what I would recommend if you're already working with Spring.

There's more documentation online for Acegi than Spring Security, so if in doubt you can find useful information in the Acegi docs/tutorials as well as the more recent Spring stuff.

If you can design your user table to fit with Spring Security's concept (user name, password, roles, each with certain specified types and names) then you can use Spring Security's DAO classes right out of the box; if not, you build a tiny adapter class to hook up Spring Security to your database for the user query.

You can specify required roles per servlet/URL or even at the method level. It took me a day or two to wrap my head around the concepts involved, but after that configuring it was reasonably easy, and I was happy that they've already solved most of the kinds of problems that arise in connection with Web security.