Feb 20th, 2006, 08:09 AM
Adding and removing GrantedAuthorities
I have a system where user has to initiate his participation. So he generally has a ROLE_PARTICIPANT, but before he gets to use the system I would like to also set ROLE_NEWPARTICIPANT. This would allow me to enable only "Initiate Participation" command. When user initiates his particiaption I would remove the ROLE_NEWPARTICIPANT and all of the other commands will become available.
Now what would be the best way to address this dynamic adding/removing of a role? I was thinking that I could do something with an application event that gets published when authentication sucess. But granted authorites, that can be retrieved from Authentication object that gets passed with the event to the listener, are read only value objects (since they are copies of the originals).
Is there a hook in acegi for this kind of stuff that I overlooked?
Feb 20th, 2006, 08:42 AM
You can replace the entire Authentication object with a new once containing a different set of authorities, so it doesn't matter that the authorities are value objects. ROLE_NEWPARTICIPANT sounds like similar usage to the AnonymousProcessingFilter/Token. Presumably you have some sort of registration process which would then result in the equivalent of full authentication... once that was completed you would replace the authentication token with once containing the full set of user information and roles.
Mar 6th, 2006, 01:35 AM
In your UserDetailsService implementation you could detect some property on your database-derived object, and then return either ROLE_NEWUSER or the normal assigned roles accordingly.