Announcement Announcement Module
No announcement yet.
Instance-Based ACL Security Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Instance-Based ACL Security

    I'm quite lost on how to do the instance based ACL, even after reading the docs and API. Here is my scenario: I am creating a user admin module which allows managers from different companies edit their own users. Ok, so I have the part which checks for the role of ROLE_MANAGER working and only allows that role into the module. Now, I need to check the manager's company and compare it to the company of the user they have selected to edit; if they are the same, then he can edit the user, otherwise I want to forward him back to the main screen with an error message. The reason I want to do this is to prevent someone who is a manager from simply typing in a different user id in the URL and editing a user who is not from their company. I'd like to use Ageci's instance based ACL security, otherwise I'd just do it the simple way and do the check right in my controller, but I know that this will be reused in other places.

    Anyone know how to accomplish this?

    Thanks for any help!


  • #2
    My post at explains how we handle domain objects with ACL security.

    Basically you'd write a AclManagerVoter and select some configuration attribute that tells the AclManagerVoter to fire (eg ENSURE_ACL). You'd define the configuration attribute against the MethodSecurityInterceptor. When a user requests say the PersonManager.updatePerson(Person) method, MethodSecurityInterceptor will delegate to AclManagerVoter which will look at the Person method and check it against the AclManager. From there it can vote to grant access or deny access (or abstain if the ENSURE_ACL configuration attribute did not apply to the AccessDecisionVoter invocation).

    Hope this clarifies it a little.
    Last edited by robyn; May 14th, 2006, 10:53 AM.