Announcement Announcement Module
Collapse
No announcement yet.
defining custom authorities... Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • defining custom authorities...

    This is probably a newbie question, but I can't seem to figure out how to define my own names for granted authorities. In the following bean definition, where does the role name ROLE_USER come from? Is there a predefined list of possible roles somewhere? I tried replacing it with just 'user', but my webapp wouldn't even deploy.

    Thanks,
    Brian Kuhn


    Code:
    <bean id="filterInvocationInterceptor" class="net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor">
        <property name="authenticationManager"><ref local="authenticationManager"/></property>
        <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
        <property name="objectDefinitionSource">
            <value>
                CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
                PATTERN_TYPE_APACHE_ANT
                /secure/**=ROLE_USER
            </value>
        </property>
    </bean>

  • #2
    Your AuthenticationManager is responsible for defining the Authentication, which includes the GrantedAuthority[]s.

    Most people use DaoAuthenticationProvider, which delegates to an AuthenticationDao. The latter populates a UserDetails object (typically User) which contains the granted authorities.

    Alternatively, you can use the in-memory AuthenticationDao or the JdbcDaoImpl. The former obtains the granted authorities from the IoC container (as typically defined in the XML file), and the latter from a dedicated database table.

    Comment


    • #3
      Thanks Ben. I think you may have misunderstood my question though. I've implmented my AuthenticationDao, and it works fine. I'm trying to understand why my role names have to be converted to "ROLE_" + role.toUpperCase() as in the following example:

      Code:
      package com.briankuhn.webapp.web.acegisecurity;
      
      import com.briankuhn.webapp.data.value.Account;
      import com.briankuhn.webapp.data.access.AccountDAO;
      import ...
      
      public class AccountAuthenticationDAO implements AuthenticationDao &#123;
          
          private AccountDAO accountDAO = null;
          
          public void setAccountDAO&#40;AccountDAO accountDAO&#41; &#123;
              this.accountDAO = accountDAO;
          &#125;
          
          public UserDetails loadUserByUsername&#40;String username&#41; &#123;
              
              UserDetails userDetails = null;
              if &#40;this.accountDAO != null&#41; &#123;
                  
                  Account account = this.accountDAO.get&#40;username&#41;;
                  if &#40;account != null&#41; &#123;
                      
                      String role = account.getRole&#40;&#41;;
                      if &#40;role == null&#41; &#123;
                          role = "";
                      &#125;
                      else &#123;
                          role = "ROLE_" + role.toUpperCase&#40;&#41;;
                      &#125;
                          
                      GrantedAuthority&#91;&#93; authorities =        
                              new GrantedAuthority&#91;&#93; &#123;new GrantedAuthorityImpl&#40;role&#41;&#125;;    
                              
                      userDetails = new User&#40;account.getEmailAddress&#40;&#41;,
                                             account.getPassword&#40;&#41;,
                                             true,
                                             authorities&#41;;
                  &#125;
              &#125;
              
              return userDetails;
          &#125;
      &#125;
      I'd rather use the roles already defined in my db (admin/user) and have a filterInvocationInterceptor configuration like this:

      Code:
      <bean id="filterInvocationInterceptor" class="net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor">
          <property name="authenticationManager"><ref local="authenticationManager"/></property>
          <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
          <property name="objectDefinitionSource">
              <value>
                  CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
                  PATTERN_TYPE_APACHE_ANT
                  /secure/admin/**=admin
                  /secure/**=user
              </value>
          </property>
      </bean>
      Am I missing the point?

      Comment


      • #4
        Typically an AccessDecisionVoter will look for specific configuration attributes, so it knows when to fire. Thus if you've got a RoleVoter and say a BasicAclEntryVoter, both won't vote on exactly the same access decision.

        By default RoleVoter only votes on configuration attributes starting with ROLE_ (case sensitive). You can call its setRolePrefix(String rolePrefix) method with an empty String to cause it to vote on every configuration attribute, thus matching your database. Although if it were me I'd probably change my AuthenticationDao to prepend ROLE_ to each GrantedAuthority, thus allowing different voters to distinguish and retaining the default behaviour and configuration of the security framework as much as possible.

        Comment

        Working...
        X