I want to use Spring Security to manage user, group and permissions.
I want to use ACL to secure my domain objects but I can't find a way to assign a group to an acl.
For example:
I've got users and groups. Each group can have the following securities:
- manage forums (can be a role like ROLE_FORUM_MANAGER
)
- edit a specific forum (acl on the specific forum).
Moreover, Groups are defined by users which have role ROLE_PERMISSION_MANAGER
. BUT all groups defined by this user can only be edited and managed by this user. So group are attached to a user. Exactly, imagine that user creates a google group: this user can manage right permission groups only for the group he has created. And so he can create group to manage specific forum of its own google group.
How can I do it?
I read the spring security docs and the following tutorials (so please don't send me to these links): http://grzegorzborkowski.blogspot.com/2008/10/spring-security-acl-very-basic-tutorial.html http://blog.denksoft.com/?page_id=20
Check Spring Security 3.0, you might be able to avoid using ACL at all by using the Spring Expression Language.
For instance, for editing a forum, you would have a method secured like this:
@PreAuthorize("hasRole('ROLE_FORUM_MANAGER') and hasPermission(#forum,'update'))
public void updateForum(Forum forum) {
//some implementation
}
You would then implement the hasPermission method in a custom permission evaluator, like:
public class ForumPermissionEvaluator implements PermissionEvaluator {
public boolean hasPermission(Authentication authentication,
Object domainObject, Object permission) {
//implement
}
public boolean hasPermission(Authentication authentication,
Serializable targetId, String targetType, Object permission) {
//implement
}
}
Finally, wire it up together in the application config:
<beans:bean id="expressionHandler"
class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<beans:property name="permissionEvaluator" ref="permissionEvaluator"/>
</beans:bean>
<beans:bean id="permissionEvaluator"
class="x.y.z.ForumPermissionEvaluator" />