RE: [Acegisecurity-developer] Instance based security

[March, Andres]

This is exactly what I am implementing right now.  Funny, that this is the first post I see when I joined the list.  I am creating a series of custom voters: ·        SimpleRoleVoter – will grant access if the user has the role in question, deny otherwise ·        EntityRoleVoter – will grant access if any of the user’s roles matches any of the roles of the entity being accessed, deny otherwise. ·        OwnerRelationshipVoter – will grant access if the entity being accessed is owned by the user, deny otherwise ·        Maybe another type of relationship as well. I am not creating my own AccessDecisionManager.  In order to plug in to existing authentication, I am implementing a custom provider and token.   Anything about this seem not right?  We are going to use the method invocation interceptor but it might be useful to write a custom one in the future.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stefan D Sookraj Sent: Thursday, July 22, 2004 9:51 AM To: [EMAIL PROTECTED] Subject: Re: [Acegisecurity-developer] Instance based security   Actually, that is exactly what I was stating. He needs to know whether an employee is a CEO or a regular employee since both use the same Employee object. What I was eluding to is that currently, even if you added a property in the Employee object to determine if it is a CEO or not, I was not sure if the Method security would be able to decide upon that attribute. But I think your suggestions regarding using a voter or other way may just work. I am also now starting to integrate Acegi with my application so I am no expert and have not looked into writing a custom voter. I have written a custom provider, custom processing filter and custom filter entry point. I will need to give this some more thought since I have came across this scenario many times and sure will in this current application. Thank uyou.     This is something I've been pondering as well. Stefan: I don't think that's what Andy means. I believe that the security would be based on some property of the instance, rather than of the user. I came from the Notes/Domino world, where a similar concept was applied with Readers and Authors properties of a document. There, a document might have a property called "AllowedReaders" which might be a list of something like (turning into the Acegi type terminology): ROLE_Admin ROLE_Approver Steve Storey/SomeCompany In this case, ideally, I'd like the security manager to decide whether to allow the action based on who I am as well as the roles I have. In this case, the action would be allowed if one of my principals was "Steve Storey/SomeCompany" or I have the ROLE_ADMIN role, or ROLE_Approver role. I haven't properly thought it all through yet, but I think this can be done with a custom Voter implementation (rather than having to do a complete AccessDecisionManager, which might be more appropriate for some circumstances). It should be fairly easy if the Object implements a specific interface (e.g. InstanceSecured) which might have the facility to return a list of principals (including names, roles, groups etc.) authorised to read the object and modify it. There's no reason why this couldn't be extended further to specific applications, so an object might return specific lists of principals authorised to read, modify content, approve, delete, etc. just by implementing different interfaces. As I'm learning a fair amount at the moment with Acegi, Spring and Hibernate, I haven't got down to actually trying to implement such a scheme yet, and I think there can be ways to make it more generic. Steve. Steve Storey Cygnite Ltd. 4th Floor, Counting House, 53 Tooley Street London SE1 2QN. T : (+44) 020 7645 3833 F : (+44) 020 7645 3834 E : [EMAIL PROTECTED] W : http://www.cygnite.com/