Dec 13th, 2006, 05:52 PM
"namespace" based authorization
This is a topic we talked about during Ben Alex's "Beyond Low Hanging Fruit" session at the Spring Experience 2006 conference- an impressive session on Acegi ACL based domain object instance security.
My application uses role based authorization, and I will add an additional mechanism to
authorize a particular role only if the client is allowed access to a particular slice of customer information in the database. ACLs might be used in some way if I can design this in a way that only requires a few ACLs (connect domain object instance ACLs into a parent table that defines namespacing types of stuff..), but I don't think I need ACLs for this one..
For example, a particular customer service representative working for company Acme is only allowed to modify customer account records if they have role "ROLE_ACCOUNT_MODIFY" and if the customer was originally created by an Acme customer service rep. Authorization based on some filtering of the customer details.
So- is the best solution to use a UnanimousBased AbstractAccessDecisionManager that contains multiple entries like this?:
Assuming I'm using MethodSecurityInterceptor, the my.custom.Voter.decide() method receives the current MethodInvocation object as the "object".
The my.custom.Voter need to interrogate the MethodInvocation parameters directly
and perform custom handling based on whatever "namespace" rules I need to enforce
against the current authenticated user.
So I need the user to have access to a general role + access to a slice of data based on some customer attributes. What if I decide to add several of these special voters?
I basically ALWAYS want the ROLE auth.. plus just one of the others? What
AbstractAccessDecisionManager should be set up for that? Write my own?
fyi- this is cool!
Dec 13th, 2006, 06:15 PM
I also wanted to add:
my problem does not require any after invocation processing.. it's all pre invocation, which i'm assuming always happens in a voter as opposed to an AfterInvocationProvider
Aug 14th, 2008, 11:18 PM
2 years later, find anything useful?