Announcement Announcement Module
No announcement yet.
RunAs Authentication Replacement for ACL? Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • RunAs Authentication Replacement for ACL?

    I have been trying to determine how to grant object access to users via an invitation but Spring Security doesn't appear to have any sort of capability to handle this design.

    What I want to do is to have one user issue an invitation to a second user. A second user may or may not be in the service at the time the invitation is created. In both cases (when a user already exists and when a user does not yet exist), an invitation object is created with the privileges selected by the inviter, the object the invitee has been invited to have access, the inviter SecUser id, and the invitee email address.

    At this point no access privileges have been granted.

    When an invitee logs into the service, the invitation is detected and the user is prompted to accept or reject the invitation. If the user chooses to accept the invitation and gain access to the object then the object ACL's should be extended to add ACE entries for the new user.

    Now, here is the issue. I do not seem to be able to force Spring Security to allow a user to set ACL privileges for an object that the user has no admin privileges for regardless of any SpEL annotation I try on the service or controller (Grails environment). I have tried using @PreAuthorize("permitAll") and @PreAuthorize("#missionInvite.emailAddress==princi") to see if the annotation could force the ACL subsystem to stop checking for permission but I still get a "No such property: accessDenied for class:" error when my implementation of AclUtilService tries to call acl.insertAce().

    I am thinking that I could use RunAs Authentication but I cannot find any examples implementing this temporary switch without resorting to annotations. The documentation seems to indicate that the RunAsUserTokens are statically created and not dynamic. Can someone point me to example code where RunAsTokens are created on the fly so that the service can change the current authentication object so that ACE's can be created for a user without the user have the needed privileges?

  • #2
    I was able to get a user with the ROLE_ADMIN to change the privileges in an object owned by another user, so I guess ROLE_ADMIN can override ACL privileges. So I thought to try to do this for users who aren't admins by using RunAs.

    1. Create a Role with an authority 'ROL_RUN_AS_INVITED_USER'
    2. enable RunAs in config.groovy

    grails.plugins.springsecurity.useRunAs = true
    grails.plugins.springsecurity.runAs.key = '*****'
    3. give the generated role the authority to change Acl details

    grails.plugins.springsecurity.acl.authority.change AclDetails = 'ROLE_RUN_AS_INVITED_USER'
    4. Annotate the service method that accepts an invitation and sets the domain object privileges to allow access

    @PreAuthorize("#missionInvite.emailAddress==princi") //verify the invitation is to the current user

    but I still get an error when an access control entry is to be added to the domain object's acl:

    Unable to locate a matching ACE for passed permissions and SID
    I have been tearing what little hair I have left out for a few days over this problem and have gotten precisely nowhere.