Announcement Announcement Module
No announcement yet.
security:authorize tag and decision voters Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • security:authorize tag and decision voters

    I would like to use some spring security tags in my jsps to conditionally present a user with links to various action on an object. I don't like ACL idea just yet, and was hoping to solve it with a custom decision voter. From looking at the overhead of making jdbc calls for every object i want to display, I think it's an over kill.

    My users will have general roles: ROLE_AUTH, ROLE_ADMIN. But they will also be part of a group (business unit). The objects these users will be accessing belong to some business unit. So users belonging to a particular group will have read/write access to the object.

    Example: user_1 has UserDetails, containing information about which groups he belongs to and all the roles he can perform on behalf of those groups:
    groupId 2 - ROLE_MANAGER.
    groupId 11 - ROLE_CUTOM_ROLE1

    The business object they are trying to access has a simple groupId field. So it's a matter of comparing businessObject.getGroupId() to the list of groups this user belongs to.

    I know that if i put a simple url intercept i can get my custom decision voter to look at the Authenticaion object, url, and configs.

    But how do i call a custom voter with <security:authorize/> tag? I would basically want to pass the Authentication, the object, and a role list.

  • #2
    looks like i have to create my own tag; model it after:
    public int doStartTag() throws JspException {
    if (youHaveNoAuthToThis(obj))
        return Tag.SKIP_BODY;
        return Tag.EVAL_BODY_INCLUDE;