Fetch custom authorities from database by operation name

[bluefoot]

Originally posted here.

I need to make a legacy application start using spring security 3.
This app already has its security data model. The follow diagram illustrates:


Very simple by far. I can write my custom usersByUsernameQuery and authoritiesByUsernameQuery.

The thing is that there is another table indicating the operation (i.e. @Service layer method) that a Role can execute:



So the administrator can enable/disable a role from accessing an operation through a web interface, without redeploying the app.

I don't want (for now) ended up creating my own annotation. Unless it is not possible with what we have out of the box.

I still can annotate the business methods with @Secure('ROLE_ADMIN') for example, but my custom UserDetailsService must know at least the method name that is being secured, so I can perform the right query. Is there any way?

[Rob Winch]

I'm not sure I understand what you are trying to do, but it sounds a bit like ACLs. See the contacts sample application for an example of using permissions/acls.

[bluefoot]

I'm not sure I understand what you are trying to do, but it sounds a bit like ACLs. See the contacts sample application for an example of using permissions/acls.

It sounds a bit like ACLs indeed. But I've already implemented some security backgrounds that uses ACLs and I can say that ACLs is really too fine grained for this case.
What I've ended up doing was treating the Operation table like it was a Roles table. Some tweaks in the default SQL queries and it works well. Soon I'll detail here what was done.