Announcement Announcement Module
No announcement yet.
Spring Security Plug-in: More flexibility Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Security Plug-in: More flexibility


    I'm starting with the security plug-in but my requirements are a bit different from the out-of-the-box approach. I'd like to add another level of flexibility between users and authorities.

    Authorities are usually tied to fine-grained application functionality and hence are a bit low level. So, what I'd like to do is map the authorities to a more coarse-grained "Role" and then assign the roles to the users.

    So, basically, I'd like to end up with User, Role and Authority with each having a many-to-many association with the other.

    What is the best way to do this?

    I thought about the following, but not sure whether it would work:
    1- Leave the generated "Authority" class as is.
    2- Create a new domain class "Role".
    3- Create an intersection entity between User and Role similar to the one generated by the framework.
    4- Modify the intersection entity generated by the framework to make it an intersection between Role and Authority.
    5- Modify the User.getAuthorities() method to retrieve the unique authorities associated with the user through the roles.

    Will this work or there are internal implementation details that I'm not aware of that might cause issues?


  • #2
    And why wouldn't that be possible with out of the box spring security.

    An Authority, altough in general prefixed with ROLE_, can perfectly be a fine grained mechanism. Spring Security also has groups which group together authorities. So basically all you need is already there.

    I actually implemented somethin like this with acegi security (which didn't have groups yet) now with spring security 2 (and 3) this would be a lot easier by simply using groups.


    • #3
      Thanks for pointing out this feature, I was not aware of it. IMO, this is a very poorly documented feature in Spring Security; only 3 lines in the whole 3.0.3 user guide and the only mention in the 2.0.5 user guide is in the DB schema scripts!

      Nevertheless, it still doesn't seem to be supported in the plug-in out of the box. For example, the s2-quickstart script does not have an option to create a Group domain class or modify the mapping.

      Also, the UserDetailsService implementation provided by Grails can not be configured to account for it, as far as I can tell.

      So, would the steps I mentioned below still be valid?


      • #4
        I'm not skilled in grails (did some little groovy but that is it ). So I cannot help you there. Also the Group is more or less a conceptual thing, there is no real object representing a group in spring security, although you could make one yourself.

        If you want more info i suggest picking up a copy of Spring Security 3 which explains this feature (amongst others) in quite some detail.


        • #5
          Well, I just followed those steps I mentioned and guess what? It worked

          I'm not skilled in Grails either, but I'm learning many things along the way. One thing I can tell you, though, is that the learning curve is, to some extent, steep; not that I wouldn't expect that of any new language/framework.