Announcement Announcement Module
Collapse
No announcement yet.
Dynamic role names and dynamic URLs Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Dynamic role names and dynamic URLs

    Hello,

    I would like to ask what would be the best way to secure an application:

    there can by many customers who get an url

    in example:
    /app/{customer_alias}/invoices
    /app/{customer_alias}/tickets
    /app/{customer_alias}/users

    each customer can have multiple users with one of two authorities
    ROLE_{customer_alias}_ADMIN
    ROLE_{customer_alias}_USER

    it is possible that one user has access to more than one customer
    in example: user1ass
    has authorities
    ROLE_CUST_AAA_ADMIN
    ROLE_CUST_BBB_USER
    ROLE_CUST_CCC_ADMIN

    What would be the easiest way to achieve something like this in spring security 3.03?

    Thanks

  • #2
    I have a similar question. The app I'm working on is required to load the user roles from a database table. Unfortunately, this table is not named "Authorities", nor does it have a column named "authority". Also, there are 4 user roles, while Spring Security seems to "expect" 3 roles (aka "authorities).

    The solution I leaning towards is assigning Spring Security ROLE_ADMIN to all users who have successfully logged on, querying the database on the username for the "real" roles, and using the real roles to determine what to display and not to display.
    Last edited by PaoloValladolid; Sep 23rd, 2010, 03:18 PM.

    Comment


    • #3
      Originally posted by PaoloValladolid View Post
      I have a similar question. The app I'm working on is required to load the user roles from a database table. Unfortunately, this table is not named "Authorities", nor does it have a column named "authority". Also, there are 4 user roles, while Spring Security seems to "expect" 3 roles (aka "authorities).

      The solution I leaning towards is assigning Spring Security ROLE_ADMIN to all users who have successfully logged on, querying the database on the username for the "real" roles, and using the real roles to determine what to display and not to display.
      I met my needs more easily than anticipated. All I had to do was this:

      Excerpt of custom UserDetailsServiceImpl class (class AppUser is an @Entity with a @OneToMany relationship to UserRole, which is also an @Entity mapped to the USER_ROLE table):
      Code:
      Collection<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
      	    for (UserRole role : myAppUser.getRoles()) {
      	    	authorities.add(new GrantedAuthorityImpl(role.getRole().getDescription()));
                  // Roles include Administrator, Senior Read-Write, etc.
      	    }
      In the jspx:
      Code:
      <security:authorize ifAnyGranted="Senior Read-Write,Read-Write,Administrator">
      		
      			<li><a href="${home_url}">Home</a></li>
      		
      			<li><a href="${item1_url}">Item 1</a></li>
      			
      			<li><a href="${item2_url}">Item 2</a></li>	
      			
      			<security:authorize ifAllGranted="Administrator">
      			
      				<li><font color="white"><b>Administration</b></font>
      					<ul>
      						<li><a href="${query_users_url}">User Maintenance</a></li>
      						<li><a href="${vocab_Maint_url}">Vocabulary Maintenance</a></li>
      					</ul>	
      				</li>
      			
      			</security:authorize>
      		
      		
      		
      			<li><a href="${change_password_url}">Change My Password</a></li>
      			
      			<li><a href="${help_url}" target="help">Help</a></li>
      			
      			<li><a href="${logout_url}">Logout</a></li>
      		
      		</security:authorize>

      Comment

      Working...
      X