best way to implement community-like authorization with acegi

[sanjay.dahiya]

I am trying to implement an authorization mechanism like typical community, where we have many community and user can be part of more than one communities and play a different role in each of these.
Can someone tell me a scalable way of implement such a authorization scheme with acegi?

thanks

[karldmoore]

You might want to have a look at ACL.

[sanjay.dahiya]

thanks for the help,

I have (in a custom database) the users,groups and the actions these groups are allowed to take in different parts of the application. All parts of this auth system can grow at runtime so I dont really have fixed roles ( like USER, ADMIN etc ). Now I want to implement the authorization on my service layer methods using AOP.
I am not able to figure out from the docs, which interfaces I should implement and tie in to my own database to get ACL working in acegi? looking for some pointers.

[karldmoore]

I guess it would be useful if you could spell out exactly how your system works and what the security requirements are.

[sanjay.dahiya]

actually this is a common requirement in typical internet community-like applications ( yahoo groups/orkut etc ).

There are multiple communities in this system, where each community has admins and members. In addition to that each community can contain some applications ( like calendar or discussion group ). Users can have different access rights on applications in different communities.

so precisely speaking the concerned entity relate like :-

User - userGroup ( defines which users are part of which group ).

userGroup - Application - Action ( would define which group of users can take a certain action on an application in the system ).

does that make sense ?

[Luke Taylor]

I think you need to clarify a lot more what you are doing and how it fits together technically. You are using words like "group", "community", "application", "userGroup" in a potentially interchangeable way. For example, is an "application" a separate webapp, a different url within a single webapp or what?

[sanjay.dahiya]

Apologies again for the confusing details, I will try to explain better

A community in this system can contains multiple applications and multiple user groups. As a community owner one should be able to create group of users and assign them permissions on applications in the community.

For example ( something similar to yahoo groups ) :

Assuming I create a yahoo group (which is called a community in my system), I can add a few applications ( like "discussion board" or "calendar" to my yahoo group ). In yahoo groups > "discussion board" application I can give some users right to 'moderate' the group while other member users can only 'post'. someone not a member can only 'view'.

In the above example - "discussion board" is an application, whereas 'moderate', 'post', 'view' are actions exposed by this application.

I am trying to make it a bit generic. where as a community owner I can group members of my community in different groups and allow these groups to take certain actions on the applications in my community. For example I can create groups like 'forum.moderators' and add some users to that group, similarly i could create a group of 'calendar.publishers' and add some other users to that group.

Does this clarify the problem statement better ?

[Luke Taylor]

Well, if they really are separate applications, then "calendar.publishers" is just a logical role "publishers" within the calendar application. When a user logs in to an application, you can build a list of "roles" for that user/application combination (you could also use CAS or something similar for SSO authentication). You also seem to be saying that you want to be able to define the authorization constraints that apply to a particular action (e.g. a url) dynamically, so you'd have to implement your own ObjectDefinitionSource. There are previous threads on this if you feel that it's essential, but you'd have to include some kind of caching if you wanted to change them while the app was running.

[sanjay.dahiya]

I agree that "calendar.publishers" is a logical role, but in this case there are multiple calendars within same application and each calendar needs to have its own auth system. so same user can have different roles in different calendars.
so in effect role would be like calendar.<calendarid>.publishers.
I am still not too clear on how to implement it in terms of extension points in acegi. is there some documentation i am missing ?