ACL problems.

**Alarmnummer** · Jan 30th, 2006, 09:48 AM

I`m currently trying to use ACL security from Acegi in a webproject, but after a few hours I still don`t have a good understanding of how it works. Acegi is a powerfull en very extensible framework, but without documentation it is useless. And the ACL part doesn`t contain enough information to be very practical (a complete example would be better).

Does anyone know a good example (that isn`t complex and long) of how to use ACL security and how to wire it up? I miss the connection from AclProvider to AuthorizationManager (how does ACL fit into the Authrorization process?) Is there some kind of adapter that converts a AuthorizationProvider call to an AclProvider call? There are many more questions I would like to ask, but at the moment I need answers to the most important ones.

**Alarmnummer** · Feb 3rd, 2006, 08:13 AM

I have been playing with ACL this week and I find it quite complex to use. In most cases I don`t need something this powerfull and I have come up with an idea for a much simpler configuration.

example (check the ItemManager.delete line):

Code:

<bean id="itemManagerSecurityAdvice"
	class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
	<property name="validateConfigAttributes" value="true"/>
	<property name="authenticationManager" ref="authenticationManager"/>
	<property name="accessDecisionManager" ref="accessDecisionManager"/>
	<property name="objectDefinitionSource">
		<value>
			ItemManager.delete=ROLE_USER:arg1.user.equals(securityContext.user)
		</value>
	</property>
</bean>

I think you will get the point. I have posted more information on my weblog

**glenmartinthomas** · Feb 3rd, 2006, 08:19 AM

I agree.... One simple working example would make all the difference. You have to jump through hoops just to get started. I'm sure acegi does everything I require, but I need something to start with - I have no desire to install maven or download the entire source code -- I have 500 other pieces of software to download and install for other parts of teh application..... just a simple working example would be great.

**Alarmnummer** · Feb 3rd, 2006, 08:23 AM

Originally Posted by glenmartinthomas

I agree.... One simple working example would make all the difference. You have to jump through hoops just to get started. I'm sure acegi does everything I require, but I need something to start with - I have no desire to install maven or download the entire source code -- I have 500 other pieces of software to download and install for other parts of teh application..... just a simple working example would be great.

I think in a lot of cases ACL won`t be required. You just need to check some arguments and you are done. Check the example again and look for the ItemManager.delete line. You see an expression there.

**Ben Alex** · Feb 6th, 2006, 04:59 AM

An interesting approach. As noted in the documentation at http://acegisecurity.org/docbook/ace...#acls-overview there are different ways of achieving method invocation security and not al rely on ACLs.

**Alarmnummer** · Feb 6th, 2006, 08:47 AM

I have been playing with it and made a prototype implementation and it works like a dream:

//admins are allowed to disable other users from the same application
foo.UserManager.disable=ROLE_ADMIN:arg0.applicatio n.equals(authentication.principal.user.application )
foo.UserManager.createPasswordLogin=ROLE_ANONYMOUS ,ROLE_USER,ROLE_ADMIN
foo.UserManager.createCookieLogin=ROLE_ANONYMOUS,R OLE_USER,ROLE_ADMIN
foo.UserManager.confirmPasswordLogin=ROLE_ANONYMOU S,ROLE_USER,ROLE_ADMIN
//an admin of the same application as the user is allowed to update another user
//a user is able to update himself.
foo.UserManager.update=ROLE_ADMIN:arg0.application .equals(authentication.principal.user.application) ,ROLE_USER:arg0.equals(authentication.principal.us er)
foo.UserManager.findById=ROLE_ANONYMOUS,ROLE_USER, ROLE_ADMIN

I have to do 2 things in the app context:
1) replace the RoleVoter by a different version

Code:

public int vote(Authentication auth, Object object, ConfigAttributeDefinition config) {
		int result = ACCESS_ABSTAIN;
		Iterator iter = config.getConfigAttributes();

		while (iter.hasNext()) {
			ConfigAttribute requiredAttribute = (ConfigAttribute)iter.next();
			if (this.supports(requiredAttribute)) {
				result = ACCESS_DENIED;

				// Attempt to find a matching granted authority
				for (int i = 0; i < auth.getAuthorities().length;i++) {
					String requiredRole = requiredAttribute.getAttribute();
					String grantedRole = auth.getAuthorities()[i].getAuthority();

					if (requiredRole.equals(grantedRole)) {
						if(requiredAttribute instanceof MyConfigAttribute){
							MethodInvocation mi = (MethodInvocation)object;
							MyConfigAttribute myAttr = (MyConfigAttribute)requiredAttribute;
							myAttr.getInvocationChecker().check(mi);
						}
						return ACCESS_GRANTED;
					}
				}
			}
		}

		return result;
	}

2) Replace the ObjectDefinitionSource by one that also can handle ognl expressions.

**Ben Alex** · Feb 8th, 2006, 06:19 PM

I certainly like where this is heading. I am especially fond of the notion format for retrieving a particular argument from the method invocation, and referring to internals of the Authentication object. We probably should get something like this into core. Would you mind posting what you end up writing to JIRA so I can take a proper look at this with examples?

Thread: ACL problems.

Thread Tools

Display

Hybrid View

ACL problems.

agreed - poor documentation

Posting Permissions