Nov 16th, 2010, 04:13 AM
Security based on logical operations
I need to configure Spring Security to allow the caller to do some logical operations over my classes. For example, I need to allow a user to LIST, VIEW and WRITE the PRODUCTS entity (the whole entity) and LIST the ORDERS entity. Allow another user to LIST and READ the PRODUCTS entity but LIST, READ, WRITE the ORDERS entity and so on (yeah, I distinguish between LIST and READ).
Moreover, I have another type of permission for the menu. In my menu I have a tree structure in wich each item links to the related form or grid. I need to link the authority for a menu to another table to instantiate the corresponding form or grid in the client side.
I'm not interested right now in implement ACL, it is not a requirement, but maybe it could be interesting to be able to implement it for some other entities.
The question is: how can I implement this security with spring?
My current bet is a authority-based implementation with groups and make an authority for operation and entity (LIST_PRODUCTS, READ_PRODUCTS, WRITE_PRODUCTS, MENU_PRODUCTS, LIST_ORDERS, READ_ORDERS, WRITE_ORDERS, MENU_ORDERS, and so on) and annotate each secure method with @Secured.
If you need more info just ask. Thank you