Stephane Bailliez wrote: > Hi all, > > I'm trying to see whether there is an easy way to implement roles > (authorities) for several applications. Each application having its own > set of authorities (ie: john being registered as ROLE_SUPERVISOR only > for application A, does not apply to application B and C for example). > > Seems there is no support for this out of the box and the model is > rather flat. > > A potential workaround I was thinking to avoid too much initial code > would be to have a convention such such as: ROLE_A_SUPERVISOR, > ROLE_B_SUPERVISOR respectively for application A and B which will be an > acceptable workaround for half a dozen applications in the short term > even though not extremely elegant. > > Does any one have solve this type of issue differently or any opinion on > the above ?
Another option is to modify your UserDetailsService to return a custom GrantedAuthority that reflects the assigned role in one property and the application in another. Then provide a custom AccessDecisionVoter that works with your custom GrantedAuthority and is aware of which application the present operation applies to (perhaps derived from a configuration property or a ThreadLocal or even contextual metadata like a method argument). Cheers Ben ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
