Announcement Announcement Module
Collapse
No announcement yet.
"namespace" based authorization Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • "namespace" based authorization

    This is a topic we talked about during Ben Alex's "Beyond Low Hanging Fruit" session at the Spring Experience 2006 conference- an impressive session on Acegi ACL based domain object instance security.

    My application uses role based authorization, and I will add an additional mechanism to
    authorize a particular role only if the client is allowed access to a particular slice of customer information in the database. ACLs might be used in some way if I can design this in a way that only requires a few ACLs (connect domain object instance ACLs into a parent table that defines namespacing types of stuff..), but I don't think I need ACLs for this one..
    For example, a particular customer service representative working for company Acme is only allowed to modify customer account records if they have role "ROLE_ACCOUNT_MODIFY" and if the customer was originally created by an Acme customer service rep. Authorization based on some filtering of the customer details.

    So- is the best solution to use a UnanimousBased AbstractAccessDecisionManager that contains multiple entries like this?:
    <bean id="accessDecisionManager"
    class="org.acegisecurity.vote.UnanimousBased">
    <property name="decisionVoters">
    <list>
    <bean class="org.acegisecurity.vote.RoleVoter"/>
    <bean class="my.custom.Voter"/>
    </list>
    </property>
    </bean>

    Assuming I'm using MethodSecurityInterceptor, the my.custom.Voter.decide() method receives the current MethodInvocation object as the "object".
    The my.custom.Voter need to interrogate the MethodInvocation parameters directly
    and perform custom handling based on whatever "namespace" rules I need to enforce
    against the current authenticated user.

    So I need the user to have access to a general role + access to a slice of data based on some customer attributes. What if I decide to add several of these special voters?
    I basically ALWAYS want the ROLE auth.. plus just one of the others? What
    AbstractAccessDecisionManager should be set up for that? Write my own?

    fyi- this is cool!
    --Michael Moores

  • #2
    I also wanted to add:
    my problem does not require any after invocation processing.. it's all pre invocation, which i'm assuming always happens in a voter as opposed to an AfterInvocationProvider

    Comment


    • #3
      2 years later, find anything useful?

      Comment

      Working...
      X