Let's say I want to build a blog (Newbie question on roles?)

[andrew_null]

Hello everyone, I'm just starting to experiment with Acegi, guided by the "Spring in Action" book.

A quick question:

Let's say I want to build a site like Blogger.com, where people can create their own blogs. For any given blog out of 1000s, we have simple 2 roles: ADMIN and MEMBER.

MEMBER can add/edit/delete blogs
ADMIN can add new MEMBERs, and also have all the MEMBER powers

So here's my question:

Does this mean that there are two roles that you can use? Or does it mean we need 1000s of different roles, like ROLE_ADMIN_1 (where 1 is the id of the blog?).

For example, you wouldn't want someone who is an ADMIN of one blog to simply be able to edit another blog. So we need to differentiate ADMIN of blog id = 1 and ADMIN of blog id = 2. So that says, to me, that we have ADMIN and MEMBER roles for every blog (so potentially 1000s).

From the examples in the book, it was clear how to set up roles for specific website sections (students can go here, alumni can go here), but not for roles that cut across different objects.

Is there a way to set this up dynamically, as if there were two roles, or do I have to set up 1000s of roles? What do I change to do this?

Andrew

[andrew_null]

I could be totally, totally wrong, but here's my first guess:

- Write AuthoritiesByUsernameMapping.java that does a custom query, and returns GrantedAuthority[] that look like: ROLE_ADMIN_1 (where 1 is the blog id)

- Create a new class called BlogRoleVoter that takes the ROLE_ADMIN_1 string, and separates it into ROLE_ADMIN and 1. Then it checks to make sure that the user has ROLE_ADMIN for club id=1.

Do I have to do anything else? Is this in the right direction?

It seems a bit hack-ish, but those are just my initial thoughts for now...

[Ben Alex]

Yes, it's a bit hack-ish, which is why we have a whole domain object instance security system included in Acegi Security, built upon access control list security. Check out the ACL security information in the reference guide and Contacts Sample - it more than addresses requirements such as the Blogger.com example.

[andrew_null]

Yes, it's a bit hack-ish, which is why we have a whole domain object instance security system included in Acegi Security, built upon access control list security. Check out the ACL security information in the reference guide and Contacts Sample - it more than addresses requirements such as the Blogger.com example.

Thanks for the tip.

I was looking at my copy of Spring In Action, and unfortunately, it covers an old version of Acegi without the ACL... makes for a great paperweight.

I'll take a look at that! Thanks again.