Re: [Acegisecurity-developer] Instance based security

[steve . storey]

This is something I've been pondering as well.

Stefan: I don't think that's what Andy means. I believe that the security would be based on some property of the instance, rather than of the user.

I came from the Notes/Domino world, where a similar concept was applied with Readers and Authors properties of a document. There, a document might have a property called "AllowedReaders" which might be a list of something like (turning into the Acegi type terminology):

ROLE_Admin
ROLE_Approver
Steve Storey/SomeCompany

In this case, ideally, I'd like the security manager to decide whether to allow the action based on who I am as well as the roles I have. In this case, the action would be allowed if one of my principals was "Steve Storey/SomeCompany" or I have the ROLE_ADMIN role, or ROLE_Approver role.

I haven't properly thought it all through yet, but I think this can be done with a custom Voter implementation (rather than having to do a complete AccessDecisionManager, which might be more appropriate for some circumstances). It should be fairly easy if the Object implements a specific interface (e.g. InstanceSecured) which might have the facility to return a list of principals (including names, roles, groups etc.) authorised to read the object and modify it.

There's no reason why this couldn't be extended further to specific applications, so an object might return specific lists of principals authorised to read, modify content, approve, delete, etc. just by implementing different interfaces.

As I'm learning a fair amount at the moment with Acegi, Spring and Hibernate, I haven't got down to actually trying to implement such a scheme yet, and I think there can be ways to make it more generic.

Steve.

Steve Storey
Cygnite Ltd.
4th Floor, Counting House,
53 Tooley Street
London SE1 2QN.

T : (+44) 020 7645 3833
F : (+44) 020 7645 3834
E : [EMAIL PROTECTED]
W : http://www.cygnite.com/