Actually, that is exactly what I was stating. He needs to know whether an
employee is a CEO or a regular employee since both use the same Employee object.
What I was eluding to is that currently, even if you added a property in the
Employee object to determine if it is a CEO or not, I was not sure if the Method
security would be able to decide upon that attribute. But I think your
suggestions regarding using a voter or other way may just work. I am also now
starting to integrate Acegi with my application so I am no expert and have not
looked into writing a custom voter. I have written a custom provider, custom
processing filter and custom filter entry point. I will need to give this some
more thought since I have came across this scenario many times and sure will in
this current application. Thank uyou.
This is something I've been pondering as well.
Stefan: I don't think that's what Andy means. I believe that the security would be based on some property of the instance, rather than of the user.
I came from the Notes/Domino world, where a similar concept was applied with Readers and Authors properties of a document. There, a document might have a property called "AllowedReaders" which might be a list of something like (turning into the Acegi type terminology):
ROLE_Admin
ROLE_Approver
Steve Storey/SomeCompany
In this case, ideally, I'd like the security manager to decide whether to allow the action based on who I am as well as the roles I have. In this case, the action would be allowed if one of my principals was "Steve Storey/SomeCompany" or I have the ROLE_ADMIN role, or ROLE_Approver role.
I haven't properly thought it all through yet, but I think this can be done with a custom Voter implementation (rather than having to do a complete AccessDecisionManager, which might be more appropriate for some circumstances). It should be fairly easy if the Object implements a specific interface (e.g. InstanceSecured) which might have the facility to return a list of principals (including names, roles, groups etc.) authorised to read the object and modify it.
There's no reason why this couldn't be extended further to specific applications, so an object might return specific lists of principals authorised to read, modify content, approve, delete, etc. just by implementing different interfaces.
As I'm learning a fair amount at the moment with Acegi, Spring and Hibernate, I haven't got down to actually trying to implement such a scheme yet, and I think there can be ways to make it more generic.
Steve.
Steve Storey
Cygnite Ltd.
4th Floor, Counting House,
53 Tooley Street
London SE1 2QN.
T : (+44) 020 7645 3833
F : (+44) 020 7645 3834
E : [EMAIL PROTECTED]
W : http://www.cygnite.com/
