Hao Chen wrote:
I have a use case that requires role-based
authorization, but the user's role is
is based on the access context. Roles are assigned to
user based on the "workspace" the user is accessing.
For example, a user may have role X in
workspace A, but may have role Y in "workspace" B. I
think many systems may have similar concepts. I know
ACL would work for this, but I just wonder whether
Acegi has any built-in tools for handling such
scoped-roles easily. Or is there any suggested
apporach for this use case.
If you search for my posts on the forums, I have discussed
subscriber-specific GrantedAuthority[]s. In an ASP deployment, you may
have a SubscriberThreadLocal, which has a subscriber number. Then your
UserDetailsService looks at the active SubscriberId, and only adds roles
which the principal has for that SubscriberId. Your workspace notion
may, however, be more related to an argument passed to a services layer
method. In that situation you're better off having a custom
GrantedAuthority returned by your UserDetailsService, and a custom
AccessDecisionVoter that knows how to process that custom
GrantedAuthority. The exact approach depends on what you're trying to
achieve.
Cheers
Ben
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
