Announcement Announcement Module
Collapse
No announcement yet.
Complex ACL problem -- solution requested Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Complex ACL problem -- solution requested

    I think that I have an interesting problem compared to all other ACL solutions. I am hoping that someone can help me see the "light" without too much code modification.

    Description of problem:
    - I have a tree that shows a hierarchy of the domain objects in my system.
    Code:
     
    ROOT
      |----Customer A
              |----Directory B
                      |----Site C
                              |----Control System D
                              |----Control System D2
                      |----Site C2
    
      |----Customer B
              |----Directory E
                      |----Site F
                             |---etc.
    - This is an ASP application, so a customer won't be able to see other customers. However, internally, we should be able to see all customers and setup our own hierarchy of users, roles, permissions.

    - A typical customer user would be a user admin, corporate guy, contractor, technician. The admin and corporate guy is allowed to restrict access to certain sites or control systems within customer's domain. A technician might be restricted to only one site.

    - There should be a user manager that allows the customer to setup groups and assign permissions (restrictions) to this group. He might say Contractor group A can only see Directory B, etc.

    I have been trying to figure out how to use the ACL to really configure this problem. However, everytime I run into this issue that I have to literally copy my entire list of objects into the ACL database. This is a bare when trying to synchronize the actual tree database with the ACL one when the customer adds, deletes these nodes.

    - How can I easily with one entry in the ACL restrict a technician?
    - How can I declare a role to have read access to all but only restrict certain principals to certain directories?
    - How can I assign permissions to groups of users?

    I have an example of setup that I don't like at all (am I on the correct path?)

    Code:
    <value>INSERT INTO acl_object_identity VALUES &#40;1, 'com.ersus.serverside.apps.proview.model.Customer&#58;ROOT', null, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'&#41;</value>
    <value>INSERT INTO acl_object_identity VALUES &#40;2, 'com.ersus.serverside.apps.proview.model.Customer&#58;3', 1, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'&#41;</value>
    <value>INSERT INTO acl_object_identity VALUES &#40;3, 'com.ersus.serverside.apps.proview.model.Customer&#58;6', 1, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'&#41;</value>
    <value>INSERT INTO acl_object_identity VALUES &#40;4, 'com.ersus.serverside.apps.proview.model.Customer&#58;14', 1, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'&#41;</value>
    <value>INSERT INTO acl_object_identity VALUES &#40;5, 'com.ersus.serverside.apps.proview.model.Customer&#58;60', 1, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'&#41;</value>
    <value>INSERT INTO acl_object_identity VALUES &#40;6, 'com.ersus.serverside.apps.proview.model.Site&#58;12873', 2, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'&#41;</value>
    <value>INSERT INTO acl_object_identity VALUES &#40;7, 'com.ersus.serverside.apps.proview.model.Site&#58;2556', 3, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'&#41;</value>
    <value>INSERT INTO acl_object_identity VALUES &#40;8, 'com.ersus.serverside.apps.proview.model.Site&#58;12871', 3, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'&#41;</value>
    <value>INSERT INTO acl_object_identity VALUES &#40;9, 'com.ersus.serverside.apps.proview.model.Site&#58;12870', 5, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'&#41;</value>
    <value>INSERT INTO acl_object_identity VALUES &#40;10, 'com.ersus.serverside.apps.proview.model.Site&#58;12872', 4, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'&#41;</value>
    <value>INSERT INTO acl_object_identity VALUES &#40;11, 'com.ersus.serverside.apps.proview.model.Controller&#58;127', 6, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'&#41;</value>
    <value>INSERT INTO acl_permission VALUES &#40;null, 1, 'ROLE_USER', 2&#41;</value>
    <value>INSERT INTO acl_permission VALUES &#40;null, 1, 'ROLE_ADMIN', 1&#41;</value>
    <value>INSERT INTO acl_permission VALUES &#40;null, 2, 'technician', 2&#41;</value>
    <value>INSERT INTO acl_permission VALUES &#40;null, 6, 'technician', 2&#41;</value>
    <value>INSERT INTO acl_permission VALUES &#40;null, 11, 'technician', 2&#41;</value>
    Notice that I am having to declare the path of the technician all the way up the tree. Why can't I just declare his permission at 11? The child-parent hierarchy is already declared in the object identity db.

    Also, I would like to be able to say that ROLE_USER has access to Site:* so that I don't have create an entry for each site in the system. There will be eventually in excess of 20,000 sites in this system.

    I am restricting access to the collections returned by the tree manager:
    Code:
    	<bean id="componentInstanceSecurity" class="net.sf.acegisecurity.intercept.method.aspectj.AspectJSecurityInterceptor">		
    		<property name="validateConfigAttributes"><value>true</value></property>
    		<property name="authenticationManager"><ref bean="authenticationManager"/></property>
    		<property name="accessDecisionManager"><ref local="businessAccessDecisionManager"/></property>
    		<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
    		<property name="objectDefinitionSource">
    		   <value>
    				  com.ersus.serverside.apps.proview.model.Customer.get*=ROLE_USER,AFTER_ACL_COLLECTION_READ
    				  com.ersus.serverside.apps.proview.model.Site.get*=ROLE_USER,AFTER_ACL_COLLECTION_READ
    				  com.ersus.serverside.apps.proview.model.Controller.get*=ROLE_USER,AFTER_ACL_COLLECTION_READ
    		   </value>
    		</property>
    	</bean>

  • #2
    Re: Complex ACL problem -- solution requested

    Originally posted by ozzieg
    - How can I easily with one entry in the ACL restrict a technician?
    You need to find a common parent in the acl_object_identity, and assign permissions to that common parent. Without reading your sample data too closely, it would seem you might be able to use the "Directory" entity, as it would cover all "Sites".
    Originally posted by ozzieg
    - How can I declare a role to have read access to all but only restrict certain principals to certain directories?
    Each Customer presumably has a customer-specific GrantedAuthority. You'd assign that customer-specific GrantedAuthority to the "Customer" level of your hierarchy.
    Originally posted by ozzieg
    - How can I assign permissions to groups of users?
    Mostly groups are handled at the AuthenticationDao layer by populating the UserDetails with the GrantedAuthority[]s assigned to individual groups. Thus groups are a database concept, hidden away from Acegi Security. I would suggest a 1:1 mapping between group names and role names that represent the group, and assign the latter permissions at the appropriate level of your ACL hierarchy.

    Good luck.

    Comment


    • #3
      Re: Complex ACL problem -- solution requested

      Originally posted by Ben Alex
      Originally posted by ozzieg
      - How can I easily with one entry in the ACL restrict a technician?
      You need to find a common parent in the acl_object_identity, and assign permissions to that common parent. Without reading your sample data too closely, it would seem you might be able to use the "Directory" entity, as it would cover all "Sites".
      There will be dozens of directories created by the customer which might contain the same sites. So, what is the common parent, then? Customer? How does this really solve my problem if I don't have the entire tree in the ACL list?
      Originally posted by Ben Alex
      Originally posted by ozzieg
      - How can I declare a role to have read access to all but only restrict certain principals to certain directories?
      Each Customer presumably has a customer-specific GrantedAuthority. You'd assign that customer-specific GrantedAuthority to the "Customer" level of your hierarchy.
      Yea, but the customer will be the one to create it. The application needs to allow customers to create groups (or roles) and assign different permissions to them. The application will have the base roles, but the customer needs to be able to customize these permission via the ACL somehow. How is that accomplished?
      Originally posted by Ben Alex
      Originally posted by ozzieg
      - How can I assign permissions to groups of users?
      Mostly groups are handled at the AuthenticationDao layer by populating the UserDetails with the GrantedAuthority[]s assigned to individual groups. Thus groups are a database concept, hidden away from Acegi Security. I would suggest a 1:1 mapping between group names and role names that represent the group, and assign the latter permissions at the appropriate level of your ACL hierarchy.
      What do you mean by 1:1 mapping? The customer is the one controlling the creation of groups.

      Comment


      • #4
        resolution?

        Hey, I don't know if anyone's still paying attention to this thread, but I'd love to hear a bit about how this was resolved or any further ideas. Facing a similar situation on a project I'm on.

        Comment

        Working...
        X