[newbie] single user authorities?

[lime]

Hello
I'm a newbie of Acegi for Spring and a I've got a little experience with Spring.
Until now I've used the schema of JpetStore example (SimpleUrlHandlerMapping with signonInterceptor) to secure my apps but now I need more flexibility and features so I wanna try Acegi

This is the scenario:
- I've to protect various area of my application from different user type
- I have Admin users, group users and single users with specific authorities
- I must have the possibility to decide what group and single user can see in every JSP page (form field/table report column/link) and can do
- all this authorities must be dynamic: administrators can create/modify/delete and assign/revoke them to users at runtime through web interface (so everything goes in DB)

well, I've read reference and forum and I think I've got an idea on how to set up area protection and group roles but: how can I define authorities for single user and decide what he can see/do in every JSP page

maybe it's a stupid question but, remember, I'm a newbie ;-)

[Ben Alex]

Your AuthenticationDao is responsible for returning a UserDetails object, which contains the list of GrantedAuthority[]s applicable for a given principal (user). As such it's your choice how to model this in terms of groups and users and the implementations of GrantedAuthority to use. Generally people just use a USER table, a ROLE table, with a many:many relationship between them. They then use GrantedAuthorityImpl for the concrete implementation they return in UserDetails. This is demonstrated in the Hypersonic directory included in the release ZIPs along with JdbcDaoImpl.

Once you've setup the Acegi Security filters correctly, it will ensure the user is authenticated whenever requesting secure URLs. You can then, from your JSP, access the currently logged on user via ((SecureContext)ContextHolder.getContext()).getAut hentication(). Alternatively, you can use the authz taglib which is discussed in the reference guide if you just want to check a principal has a given GrantedAuthority.

[lime]

Thank you for the answer Ben but I've got some doubts

- you say to use User table and Role table but which is the correct way to map specific pages against user?
As I've said: how can I tell that a User can see a field XXX in page YYY? Using Role_pageYYY_fieldXXX_can_view make sense?

- I haven't understood the use of RoleVoter... what does it mean? how can I use it? Is it necessary or an optional? How does it influence the authz taglib response?

[Ben Alex]

- you say to use User table and Role table but which is the correct way to map specific pages against user?
As I've said: how can I tell that a User can see a field XXX in page YYY? Using Role_pageYYY_fieldXXX_can_view make sense?

If you need such granular security, yes, you could use something like this. So ROLE_OWNERPAGE_TELEPHONENUMBER would be acceptable. Still, it would be unusual to be operating at this level of granularity. Roles typically reflect application or organizational functions. Such as ROLE_MANAGER or ROLE_TELLER or ROLE_PET_ADMINISTRATOR. Such roles typically indicate the pages and properties and methods the principal can invoke.

- I haven't understood the use of RoleVoter... what does it mean? how can I use it? Is it necessary or an optional? How does it influence the authz taglib response?

RoleVoter is a concrete AccessDecisionVoter. An AccessDecisionVoter can vote to grant, deny or abstain. The tallying of these votes if performed by an AccessDecisionManager. Several implementations are provided which deliver slightly different approaches to how votes are tallied. See their JavaDocs (net.sf.acegisecurity.vote package) for details. The authz taglib does not use the AccessDecisionVoter. It just looks at what is in the Authentication object, obtained from the ContextHolder.