Apr 7th, 2005, 04:20 AM
Authorities and ACL
In my application I believe i need ACL as it requires instance based security. But If I don't setup authorities for users, Authentication doesn't work. Question/Confusion is, do we need both of them? For example if I have a authority ROLE_MANAGER assigned to a user scott. Now in this ACL solution what does ut really mean by having a authority ROLE_MANAGER? But i need it in order to get authentication to work. I am using acegi with a rich-client in a client-server setting.
Apr 7th, 2005, 04:56 PM
What it means...
Here's my take on your question in the form of what I am doing for my project.
I do actually mix granted authorities (roles, as we are calling them here) and ACLs. In my case, I want to be able to provide access to instances based upon granted authority and based upon principal. So here's one scenario, users who have the authority ROLE_MEMBER are known to the system, but have no permissions -- an ACL is assigned to a top-level instance to ROLE_MEMBER with no permissions. For ROLE_SUBSCRIBER, I grant read permissions -- again, with a top-level ACL with read permissions. I can augment these default role-based privileges with an ACL granted to the principal. So if I have a user 'BILL' with granted authority ROLE_MEMBER, I can have a situation where they get no permissions from the role ACL, but then get specific permission from an ACL farther down the hierarchy and attached to the exact instance in question.
I could probably explain that better given that I used the term hierarchy which you may not connect with. Picture a catalog (top-level) with categories (middle-level) with items (leaf-level). An ACL attached to catalog trickles down to the leaves. However, if you grant an ACL at the leaf level, it overrides the parent.
So the answer to your question is you can make it work with both. You definitely need to authenticate in order to authorize, but I think you are asking if the granted authorities can be used within the ACLs. The answer is definitely YES and I think if you check out the sample and the out-of-the-box code, you'll find that the pieces are all there.
Apr 8th, 2005, 06:50 PM
Thanks for the example Bill. Using roles/GrantedAuthoritys is best practise with ACLs. Assigning ACLs against individual users is generally only a small proportion of your ACLs - the rest are against roles.