defining custom authorities...

**briankuhn** · Dec 20th, 2004, 03:32 PM

This is probably a newbie question, but I can't seem to figure out how to define my own names for granted authorities. In the following bean definition, where does the role name ROLE_USER come from? Is there a predefined list of possible roles somewhere? I tried replacing it with just 'user', but my webapp wouldn't even deploy.

Thanks,
Brian Kuhn

Code:

<bean id="filterInvocationInterceptor" class="net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor">
    <property name="authenticationManager"><ref local="authenticationManager"/></property>
    <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
    <property name="objectDefinitionSource">
        <value>
            CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
            PATTERN_TYPE_APACHE_ANT
            /secure/**=ROLE_USER
        </value>
    </property>
</bean>

**Ben Alex** · Dec 20th, 2004, 05:11 PM

Your AuthenticationManager is responsible for defining the Authentication, which includes the GrantedAuthority[]s.

Most people use DaoAuthenticationProvider, which delegates to an AuthenticationDao. The latter populates a UserDetails object (typically User) which contains the granted authorities.

Alternatively, you can use the in-memory AuthenticationDao or the JdbcDaoImpl. The former obtains the granted authorities from the IoC container (as typically defined in the XML file), and the latter from a dedicated database table.

**briankuhn** · Dec 20th, 2004, 05:53 PM

Thanks Ben. I think you may have misunderstood my question though. I've implmented my AuthenticationDao, and it works fine. I'm trying to understand why my role names have to be converted to "ROLE_" + role.toUpperCase() as in the following example:

Code:

package com.briankuhn.webapp.web.acegisecurity;

import com.briankuhn.webapp.data.value.Account;
import com.briankuhn.webapp.data.access.AccountDAO;
import ...

public class AccountAuthenticationDAO implements AuthenticationDao &#123;
    
    private AccountDAO accountDAO = null;
    
    public void setAccountDAO&#40;AccountDAO accountDAO&#41; &#123;
        this.accountDAO = accountDAO;
    &#125;
    
    public UserDetails loadUserByUsername&#40;String username&#41; &#123;
        
        UserDetails userDetails = null;
        if &#40;this.accountDAO != null&#41; &#123;
            
            Account account = this.accountDAO.get&#40;username&#41;;
            if &#40;account != null&#41; &#123;
                
                String role = account.getRole&#40;&#41;;
                if &#40;role == null&#41; &#123;
                    role = "";
                &#125;
                else &#123;
                    role = "ROLE_" + role.toUpperCase&#40;&#41;;
                &#125;
                    
                GrantedAuthority&#91;&#93; authorities =        
                        new GrantedAuthority&#91;&#93; &#123;new GrantedAuthorityImpl&#40;role&#41;&#125;;    
                        
                userDetails = new User&#40;account.getEmailAddress&#40;&#41;,
                                       account.getPassword&#40;&#41;,
                                       true,
                                       authorities&#41;;
            &#125;
        &#125;
        
        return userDetails;
    &#125;
&#125;

I'd rather use the roles already defined in my db (admin/user) and have a filterInvocationInterceptor configuration like this:

Code:

<bean id="filterInvocationInterceptor" class="net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor">
    <property name="authenticationManager"><ref local="authenticationManager"/></property>
    <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
    <property name="objectDefinitionSource">
        <value>
            CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
            PATTERN_TYPE_APACHE_ANT
            /secure/admin/**=admin
            /secure/**=user
        </value>
    </property>
</bean>

Am I missing the point?

**Ben Alex** · Dec 21st, 2004, 01:58 PM

Typically an AccessDecisionVoter will look for specific configuration attributes, so it knows when to fire. Thus if you've got a RoleVoter and say a BasicAclEntryVoter, both won't vote on exactly the same access decision.

By default RoleVoter only votes on configuration attributes starting with ROLE_ (case sensitive). You can call its setRolePrefix(String rolePrefix) method with an empty String to cause it to vote on every configuration attribute, thus matching your database. Although if it were me I'd probably change my AuthenticationDao to prepend ROLE_ to each GrantedAuthority, thus allowing different voters to distinguish and retaining the default behaviour and configuration of the security framework as much as possible.

Thread: defining custom authorities...

Thread Tools

Display

defining custom authorities...

Similar Threads

[solved] binding nested model of list containing custom obj

Using Custom Tags with Spring

Question on use of custom property editors - problem found?

registerCustomEditor to a collection of custom classes

authorities retrieval via remote service

Posting Permissions