ansaurus

Question

Answer 1

+1 A:

I did something similar 'manually': i.e. I had my own code to determine which instances could be edited/deleted by a specific user and only relied on Spring security to ensure they had the right role to access the functionality and to provide role/authentication information for the current user.

So in my code I determined the current principal (our own User class) and based on that I decided what rights this user had on a specific instance.

public static User getCurrentUser() {
    User user = null;
    Authentication auth = SecurityContextHolder.getContext().getAuthentication();
    if (auth != null) {
        Object principal = auth.getPrincipal();
        if (principal instanceof User) {
            user = (User)principal;
        }
    }
    return user;
}

Fried Hoeben 2009-12-18 10:28:44

But I don't understand how you apply an acl to a group in your case ?

Jerome C. 2009-12-18 11:06:35

I don't really use an acl, but group and user are both entities and have a (bi-directional) relation (managed by hibernate). To determine whether the user can perform special actions on a group I check whether the current principal is a moderator of that group (i.e. the group is contained in the 'moderates' collection of the user). So the list of moderators of each group is basically the 'ACL' for that group and that is managed in the database, not in the spring security config.

Fried Hoeben 2009-12-18 12:12:18

Answer 2

+1 A:

I would just use your Groups like Roles. I've found the Spring ACL implementation to be pretty unwieldy and for the most part unusable. Just assign users to "groups" (Roles in all actuality) and check them as you would normal role based authorization.

Gandalf 2009-12-18 16:10:49

So I can dynamically create an authority like "GROUP_15" and after it, add to the forum 75 the acl with GrantedAuthoritySid("GROUP_15").If I can do that, It's good for me. But I need to create all roles and permissions dynamically.

Jerome C. 2009-12-18 16:39:19

You could do that, but not with the Spring Annotations, at least out of the box. The "ROLE" you use in the annotation is hardcoded and not dynamic. I would suggest writing your own MethodInterceptor and going from their - it's a simple interface and doesn't take much code.

Gandalf 2010-10-27 13:23:43

Answer 3

+4 A:

Check Spring Security 3.0, you might be able to avoid using ACL at all by using the Spring Expression Language.

For instance, for editing a forum, you would have a method secured like this:


    @PreAuthorize("hasRole('ROLE_FORUM_MANAGER') and hasPermission(#forum,'update'))
    public void updateForum(Forum forum) {
        //some implementation
    }

You would then implement the hasPermission method in a custom permission evaluator, like:


public class ForumPermissionEvaluator implements PermissionEvaluator {

    public boolean hasPermission(Authentication authentication, Object domainObject, Object permission) {
        //implement
    }

    public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission) {
        //implement
    }
}

Finally, wire it up together in the application config:

 <beans:bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
    <beans:property name="permissionEvaluator" ref="permissionEvaluator"/>
</beans:bean>
<beans:bean id="permissionEvaluator" class="com.centrix.core.security.GroupPermissionEvaluator" />

Michal Bachman 2009-12-20 12:06:58

yes I've seen it before, but as spring security 3 is not an official release, I would not use it, but I think I will wait a little to use it.

Jerome C. 2009-12-22 16:40:42

To do this using methods arguments such as "#forum" you have to have debug info left in your production JARs....probably not a good idea.

HDave 2010-06-01 01:54:41

ansaurus

tags:

views:

answers:

Group and acl on Spring Security

related questions