Announcement Announcement Module
Collapse
No announcement yet.
Multiple Roles with OR (instead of AND) ? Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Multiple Roles with OR (instead of AND) ?

    Hello,

    It seems that when I specify multiple roles:

    Code:
    /confirm.*=ROLE_ahewaUser,ROLE_eHawaiiSubscriber
    that both roles are required by the user for access. Is this true?

    And if so, how would I specify that either role is sufficient?

    Thanks very much!
    Seth

  • #2
    Quoting http://acegisecurity.sourceforge.net...ision-managers:

    There are three concrete AccessDecisionManagers provided with the Acegi Security System for Spring that tally the votes. The ConsensusBased implementation will grant or deny access based on the consensus of non-abstain votes. Properties are provided to control behavior in the event of an equality of votes or if all votes are abstain. The AffirmativeBased implementation will grant access if one or more ACCESS_GRANTED votes were received (ie a deny vote will be ignored, provided there was at least one grant vote). Like the ConsensusBased implementation, there is a parameter that controls the behavior if all voters abstain. The UnanimousBased provider expects unanimous ACCESS_GRANTED votes in order to grant access, ignoring abstains. It will deny access if there is any ACCESS_DENIED vote. Like the other implementations, there is a parameter that controls the behaviour if all voters abstain.

    Comment


    • #3
      Ben,

      Thanks for the quote. I at first thought that was what I wanted. I then looked at the code for RoleVoter:

      Code:
                      // Attempt to find a matching granted authority
                      for &#40;int i = 0; i < authentication.getAuthorities&#40;&#41;.length;
                          i++&#41; &#123;
                          if &#40;attribute.getAttribute&#40;&#41;.equals&#40;authentication
                                  .getAuthorities&#40;&#41;&#91;i&#93;.getAuthority&#40;&#41;&#41;&#41; &#123;
                              return ACCESS_GRANTED;
                          &#125;
                      &#125;
      I was interpreting that as "if I find at least one matching Role, return ACCESS_GRANTED".

      I only have one RoleVoter in the system. I will try changing the strategies as you have mentioned.

      Can you explain the relationship between the number of roles specified, the code above, and the strategies you quoted?

      Thanks very much,
      Seth

      Comment


      • #4
        Watch out for method level permissions

        If things don't act as expected, you may need to look elsewhere. I once made the silly mistake of thinking I had my role voters screwed, when in fact I was just forgetting to fix my method level permissions.

        Comment


        • #5
          Ben, all,

          I changed to using AffirmativeBased role voter. This did the trick where I wanted to have "At Least One Role Valid" scheme.

          Is it possible to specify the roles needed on a per resource basis? I think it would be nice to have this type of configuration:

          /some/uri.html=ROLE_foo||ROLE_bar
          /another.html=ROLE_foo&&ROLE_bar
          /or/even.html=(ROLE_foo||ROLE_bar)&&ROLE_manager

          What do you think? I know Spring has some nice Rules classes coming out of sandbox soon that might help here.

          If there is consensus this is A Good Thing, I will send in the patches.

          Thanks very much,
          Seth

          Comment


          • #6
            I am pleased you used AffirmativeBased and it sorted out your main issue.

            Your proposed ConditionalRoleVoter (or whatever you would like to call it) would work fine. So long as the ConditionalRoleVoter can identify the config attributes it is responsible for servicing, there shouldn't be a problem. You'll probably need to prefix them to assist. eg:

            Code:
            /foo.html=CONDITIONAL_ROLES&#40;FOO && BAR || MANAGER&#41;,SOME_OTHER_ATTRIBUTE
            A more sophisticated approach would be to somehow do it at the AccessDecisionManager level. The issue is you'd need to ensure ConfigAttributes remain independent, as each ConfigAttribute would potentially be serviced by its own AccessDecisionVoter (or RunAsManager or AfterInvocationManager for that matter). An example approache might be:

            Code:
            /foo.html=ROLE_FOO,CONDITION_AND,ROLE_BAR,CONDITION_OR,ROLE_MANAGER,SOME_OTHER_ATTRIBUTE
            /fo2.html=BRACE_LEFT,ROLE_FOO,CONDITION_AND,ROLE_BAR,BRACE_RIGHT,CONDITION_OR,ROLE_MANAGER,SOME_OTHER_ATTRIBUTE

            Comment

            Working...
            X