Announcement Announcement Module
No announcement yet.
Check role in database on every call Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Check role in database on every call

    I need to check what kind of role a user have depending on what page should be loaded.

    A user should be able to create a "site" and set different roles on different users. I use the same kind of code to load the page on the different pages but give different approval what to show depending on what role they have. So my question are, what class should I extend with this code. I have already extended UserDetailsService to fit my database-design. But I have hard to find where role are check in runtime.

    I have found something about Attributes but I can't see if that is run in runtime or only when you login. I have seen something about rolevote but haven't seen if that is what I should go for ether.

    I hope this make sense and you can point me in some kind of direction.

  • #2
    A user should be able to create a "site" and set different roles on different users.
    This is definitely an ACL. Check the Spring Security References regarding this. It isn't an easy task

    If you prefer a simpler way (relative to the standard ACL implementation), try the Expression-Based Access Control. See it at

    It uses annotation access. You might wanna see a sample application at


    • #3
      I was looking at ACL but as you say it look little more complicated, so if I can avoid it I do it, at least some more days .

      I couldn't see that Expression-Based Access Control can handle what I need, maybe it will if I take a deeper look at it.

      I have been looking to make my own AccessDecisionVoter, the problem is I can't get the current session from spring and the data from it so I can't decide what site the user are at. If this is possible that would be one way to do it I guess.

      I use Spring, Spring Security 3.0 and hibernate if that is to any help.

      Thx for all help you guys do.


      • #4
        A user should be able to create a "site" and set different roles on different users.
        I'm not sure that this is definitely an ACL. Could you be a bit more specific about what the requirements are? It's not really clear from your original description...


        • #5
          I should try to clear some out so you can help me out here.
          My DB are connected like this

          User -1..m- SiteUser -m..1- Site and then I have a table from SiteUser -1..m- Roles. This is the DB setup. Not the best but I think it should work.

          The problem I have is that a specific user can have different roles on different sites and you get the different site roles from the role table. So to know what role a user have on a site I need to send in the user ID and the site ID and it should respond with all the GrantedAuthority roles, I need to do this check every time a user change from one site to another.

          Is this possible without doing it via ACL? Is one why to do it via extend AccessDecisionVoter? The problem I have there is how I should get the CurrentInstance variable to know what site and user is doing the request. Another one is if I can dig out all this info from Expression-Based Access Control or if this is to complex to do via thous expression? It feel like it's to complicated to do it like that.

          I hope this help to clear things out, other vise I try to be even more precise.

          Thanks for all the help you put in this.


          • #6
            Do you have a clear workflow for switching sites? If so then you can just reload the authorities for the current user when you switch sites and make a note in the new Authentication object of which site they are currently authorised for.

            It's not clear how you work out what the current "site" is, but it's a bit like a multitenancy setup where there is a discriminator value of some kind is used. Presumably you'd need some way of obtaining the current site ID and checking that the user has officially switched to this site. An additional SiteVoter could compare the site ID with the current one the user is authorised for. A combination of that with a normal RoleVoter would then allow role-based access checks for the current site.


            • #7
              I think I understand what your suggestion is and I agree with it. The problem is I don't fully understand how I can get hold of the site ID, that is my key problem to this. And if I get it and it have changed how do I force a reload of privileges?

              As front end I use Icefaces, middle I use spring and obviously spring security, and hibernat in the back. At the moment I only have 2 pages (one front and one admin page), it is a webcomic, so I display a surten comic and you have two navigat button to go back and forward. I control all the navigation stuff in one bean that keep track of everything, and I have another bean for the admin page. On my comic page I will have suggestion to other webcomic site and it is when I press those I need to reload privileges and also if I go to the admin page I need todo reload it also.

              I hope I don't confuse it anymore now


              • #8
                I think you need to know the site ID - how else do the requirements make sense? How will you enforce the roles that apply for a particular site if you don't know what the site is?

                You can create a new Authentication object, load the relevant roles/authorities and
                use it to replace the contents of the SecurityContext at any time while the user is logged in. So changing the provileges isn't such a problem.

                The problem seems to be the vague definition of what constitutes a site... Is it anything under a particular URL, does the user explicitly select what site they want to view, or what is it?