Mar 21st, 2011, 06:18 AM
Fetch custom authorities from database by operation name
Originally posted here.
I need to make a legacy application start using spring security 3.
This app already has its security data model. The follow diagram illustrates:
Very simple by far. I can write my custom usersByUsernameQuery and authoritiesByUsernameQuery.
The thing is that there is another table indicating the operation (i.e. @Service layer method) that a Role can execute:
So the administrator can enable/disable a role from accessing an operation through a web interface, without redeploying the app.
I don't want (for now) ended up creating my own annotation. Unless it is not possible with what we have out of the box.
I still can annotate the business methods with @Secure('ROLE_ADMIN') for example, but my custom UserDetailsService must know at least the method name that is being secured, so I can perform the right query. Is there any way?
Mar 22nd, 2011, 11:52 AM
I'm not sure I understand what you are trying to do, but it sounds a bit like ACLs. See the contacts sample application for an example of using permissions/acls.
Mar 22nd, 2011, 05:22 PM
It sounds a bit like ACLs indeed. But I've already implemented some security backgrounds that uses ACLs and I can say that ACLs is really too fine grained for this case.
Originally Posted by rwinch
What I've ended up doing was treating the Operation table like it was a Roles table. Some tweaks in the default SQL queries and it works well. Soon I'll detail here what was done.
Tags for this Thread