Dynamic Authorization

[xbit]

@litterat: I'm not sure who your reply was directed at but creating one role for each method would be pretty meaningless as one quickly would end up with hundreds of roles and a completely unmaintanable application...

Anyway, I solved my stack overflow problem by using a Hibernate interceptor instead of event listeners. The interceptor checks the domain object type on save/delete/insert and adds it to a set. If the Set is non-empty on flush the method definition map is reloaded from the database. See the Java Persistence with Hibernate book for a full example of extending EmptyInterceptor.

[berserkpi]

When I started to think on implementing a DB based ObjectDefinitionSource... I just was looking for an extension point for achieve this...

I mean, you did a great work but the match-method-logic isn't easy. I wonder if acegi must achieve this logic for us...

Why did you implement your own matching-logic?

[Cvele]

Hi,
Is it possible to make ROLE-METHOD mapping in a database table... For example:
<bean id="bankManagerSecurity" class="net.sf.acegisecurity.intercept.method.Metho dSecurityInterceptor">
...
<property name="objectDefinitionSource">
<value> net.sf.acegisecurity.context.BankManager.delete*=R OLE_SUPERVISOR,RUN_AS_SERVER
net.sf.acegisecurity.context.BankManager.getBalanc e=ROLE_TELLER,ROLE_SUPERVISOR,BANKSECURITY_CUSTOME R,RUN_AS_SERVER
</value>
</property>
</bean>
Can't we hold net.sf.acegisecurity.context.BankManager.delete* and roles that which were permitted to invoke it, in a database table...

We want to make such a thing because in our application 'Administrator' can create new roles at runtime and can map these roles to the methods...

[/b]

- nice thread.
just two question:
1. any idea how to implement automatic population of database (for example, in ServletContext listener) with those protected method ? So I want for my application to be able to somehow detect all of protected method and populate database table with them. I suppose there is need some kind of annotations, in order to parse all protected methods...

2. how to give some "symbolic" names for that methods, in order for admin to know what method does ? For example, for a method

net.sf.acegisecurity.context.BankManager.getBalanc e

I would to have the following symbolic name :
"Getting Balance for the.... Something"
Plus, imagine that I want to have those symbolic names in different languages...

[whyBish]

- nice thread.
2. how to give some "symbolic" names for that methods, in order for admin to know what method does ? For example, for a method

net.sf.acegisecurity.context.BankManager.getBalanc e

I would to have the following symbolic name :
"Getting Balance for the.... Something"
Plus, imagine that I want to have those symbolic names in different languages...

Assuming that you have javadoc'ed the methods I'd put urls to the javadoc in the database, but this would only solve the problem for the one language (the one the javadoc was done in). Maybe call an autotranslation service on that javadoc for other languages (e.g. babelfish?). But none of that really relates to Swing Security.