Senior Member
Multiple Roles with OR (instead of AND) ?
Hello,
It seems that when I specify multiple roles:
that both roles are required by the user for access. Is this true?Code:/confirm.*=ROLE_ahewaUser,ROLE_eHawaiiSubscriber
And if so, how would I specify that either role is sufficient?
Thanks very much!
Seth
Senior Member
Spring Team
Quoting http://acegisecurity.sourceforge.net...ision-managers:
There are three concrete AccessDecisionManagers provided with the Acegi Security System for Spring that tally the votes. The ConsensusBased implementation will grant or deny access based on the consensus of non-abstain votes. Properties are provided to control behavior in the event of an equality of votes or if all votes are abstain. The AffirmativeBased implementation will grant access if one or more ACCESS_GRANTED votes were received (ie a deny vote will be ignored, provided there was at least one grant vote). Like the ConsensusBased implementation, there is a parameter that controls the behavior if all voters abstain. The UnanimousBased provider expects unanimous ACCESS_GRANTED votes in order to grant access, ignoring abstains. It will deny access if there is any ACCESS_DENIED vote. Like the other implementations, there is a parameter that controls the behaviour if all voters abstain.
Senior Member
Ben,
Thanks for the quote. I at first thought that was what I wanted. I then looked at the code for RoleVoter:
I was interpreting that as "if I find at least one matching Role, return ACCESS_GRANTED".Code:// Attempt to find a matching granted authority for (int i = 0; i < authentication.getAuthorities().length; i++) { if (attribute.getAttribute().equals(authentication .getAuthorities()[i].getAuthority())) { return ACCESS_GRANTED; } }
I only have one RoleVoter in the system. I will try changing the strategies as you have mentioned.
Can you explain the relationship between the number of roles specified, the code above, and the strategies you quoted?
Thanks very much,
Seth
Junior Member
Watch out for method level permissions
If things don't act as expected, you may need to look elsewhere. I once made the silly mistake of thinking I had my role voters screwed, when in fact I was just forgetting to fix my method level permissions.
\"In the past, I was the future.\"
- Tes
Senior Member
Ben, all,
I changed to using AffirmativeBased role voter. This did the trick where I wanted to have "At Least One Role Valid" scheme.
Is it possible to specify the roles needed on a per resource basis? I think it would be nice to have this type of configuration:
/some/uri.html=ROLE_foo||ROLE_bar
/another.html=ROLE_foo&&ROLE_bar
/or/even.html=(ROLE_foo||ROLE_bar)&&ROLE_manager
What do you think? I know Spring has some nice Rules classes coming out of sandbox soon that might help here.
If there is consensus this is A Good Thing, I will send in the patches.
Thanks very much,
Seth
Senior Member
Spring Team
I am pleased you used AffirmativeBased and it sorted out your main issue.
Your proposed ConditionalRoleVoter (or whatever you would like to call it) would work fine. So long as the ConditionalRoleVoter can identify the config attributes it is responsible for servicing, there shouldn't be a problem. You'll probably need to prefix them to assist. eg:
A more sophisticated approach would be to somehow do it at the AccessDecisionManager level. The issue is you'd need to ensure ConfigAttributes remain independent, as each ConfigAttribute would potentially be serviced by its own AccessDecisionVoter (or RunAsManager or AfterInvocationManager for that matter). An example approache might be:Code:/foo.html=CONDITIONAL_ROLES(FOO && BAR || MANAGER),SOME_OTHER_ATTRIBUTE
Code:/foo.html=ROLE_FOO,CONDITION_AND,ROLE_BAR,CONDITION_OR,ROLE_MANAGER,SOME_OTHER_ATTRIBUTE /fo2.html=BRACE_LEFT,ROLE_FOO,CONDITION_AND,ROLE_BAR,BRACE_RIGHT,CONDITION_OR,ROLE_MANAGER,SOME_OTHER_ATTRIBUTE
Posting Permissions
