views:

128

answers:

1

With spring security, could you add permissions for a user like:

canEditPage canViewPage canLogin

etc?

if yes, Are these stored at a byte array interally?

+1  A: 

Spring Security supports having 1 or more custom roles assigned to each user. On my site, I use a custom table to save these roles, and set up the authentication provider bean to select them from this table. The parameter in the query is their username (which is an email address on my site). I only have it set up to support 1 role per user, but it could easily but broken out into a separate table.

<authentication-provider>
    <password-encoder hash="md5"/>
    <jdbc-user-service data-source-ref="dataSource" 
        users-by-username-query="select email, password, '1' from user where email=?"
        authorities-by-username-query="select email, role, '1' from user where email=?" />
</authentication-provider>

Once you have the roles set up, you can check for the role in your controller, or in the JSP files (using the http://www.springframework.org/security/tags taglib). Here's an example of one such JSP:

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%&gt;
<%@ taglib prefix="security" uri="http://www.springframework.org/security/tags" %>

<h2>Edit Comment</h2>
<br/>

<security:authorize ifNotGranted="ROLE_ADMIN">
You are not authorized to edit comments.
</security:authorize>
<security:authorize ifAnyGranted="ROLE_ADMIN">
    <!-- Display the whole admin edit comment page -->
</security:authorize>
Kaleb Brasee