Announcement Announcement Module
No announcement yet.
Authorisation using runtime data. Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Authorisation using runtime data.

    I have just been introduced to Acegi and find it a wonderful extension to the Spring framework. Well done ..

    I would like to know if Acegi can be used to authorise a particluar business method not only by the authenticated roles the logged in user has but also by other application defined runtime data ?

    For example.

    Suppose we have an Business Object called Order which includes an association to one or more Party objects which represent the Parties that have had something to do with the Order i.e CreatedBY, LastModifiedBy, Supplier Contact etc. We want the method DeleteOrder to only allow the order to be deleted if the logged in user has ROLE_BUYER and is the same as the CreatedBYUser Party for the order or has ROLE_BUYER_ADMIN.

    I would also like to know if this type of business rule could be easily and efficiently made dynamic i.e. Read in at runtime from a database or external file.

    Kind Regards
    Tony De Keizer

  • #2
    You could use a custom AccessDecisionVoter to query the domain object being passed to your services layer deleteOrder(Order) method. Alternatively and preferably, you would use the ACL capabilities to manage the authorization - it was especially designed for this sort of use case.


    • #3
      This almost sounds like the same think I'm attempting to do.

      I'm new to Acegi Security and I'm evaluating how it works and at the moment I'm not finding a way to declare method-level security with differing parameters. Is this possible with Acegi Security? To attempt to make my question clearer, here is an XML snippet of what I'm attempting:

      <property name="objectDefinitionSource">
      com.example.Service.createAccount(AccountType.BUSI NESS)=ROLE_SUPER_USER
      com.example.Service.createAccount(AccountType.CONS UMER)=ROLE_USER

      I've got the same method which allows for different parameters. I don't want a principle with a ROLE_USER authority to access the method if they attempt to create a business account with the following method call:

      com.example.Service.createAccount(AccountType.BUSI NESS)

      From responses on the acegisecurity-developer mailing list it is beginning to look like I should implement my own AccessDecisionVoter or are you really talking about using BasicAclEntryVoter to perform this type of work?



      • #4
        Already discussed in dev list (to benefit archives):


        • #5
          Thanks, that corraborates the direction is the recommended approach. I'm working on such a "Voter" class and I think it will work.