How to protect several groups with different login pages

[scott.tian]

My web application has several groups of pages. One group is unlimited, the second group is for junior user, and the third is for senior user. Each user type has different login information. How can I use Acegi to configure these setting? Thanks.

[Ben Alex]

Acegi Security doesn't understand the notion of groups. It only understands "principals have GrantedAuthorty[]s".

You can write your own Authentication object which holds Group[]s if you like, and write AccessDecisionVoter[]s that can iterate them.

Alternatively, what most people do is write their AuthenticationDao (assuming they're using DaoAuthenticationProvider) to iterate group memberships and add the associated GrantedAuthority[]s to a "global GrantedAuthority[]" returned by the AuthenticationDao. Thus the mapping happens as close to the custom (ie your) application as possible, avoiding modifying the Acegi Security framework or deviating from its typical implementation and patterns. AuthenticationDao is also an interface most reasonable sized applications go and implement anyway, so it's little effort adding an iterator to the implementation.

The only time I'd recommend the additional effort of a Group[]s property inside Authentication is if your AccessDecisionVoters really needed to understand the "source" of the GrantedAuthority[]s (ie via a certain Role or directly against the principal). Then again, you could easily stick to the recommended AuthenticationDao approach and simply extend SecurityConfig to have a "group" property. Thus interested AccessDecisionVoters could obtain the information, whilst those that don't care could just use the SecurityConfig superclass as per normal.

As with Spring, in Acegi Security there are typically many different ways to approach a problem due to the interface-based design.

[scott.tian]

Thanks, Ben, I got it. What I will do is to customize my own DaoAuthitication.