File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Security and the fly likes How to implement it with Acegi? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "How to implement it with Acegi?" Watch "How to implement it with Acegi?" New topic

How to implement it with Acegi?

Geek Smiles

Joined: Apr 19, 2008
Posts: 2
Our application has the next architecture:
We have a big amount of users and services.
Each user may has the next authorities for each service:
view, edit, delete ... (custom).

The task is to do it with Acegi (Spring Security) and with a big amount of users not to have application failure - because if for each logged in user application will store all authorities for all services and will store it in memory - it is not good idea.

I have read the Acegi Reference to understand how to implement when the concrete user accesses the concrete service to check in database granted authorities (view, edit, delete ....).

After investigation Chapter 21. Secure Object Implementations approach I understood that this approach is role-based, but in my cases it is not possible to have roles.

Also I have looked at Chapter 22. Domain Object Security (ACL) but there we may find the next:

Instead, security decisions need to comprise both who
(Authentication), where (MethodInvocation) and what (SomeDomainObject). In other words, authorization
decisions also need to consider the actual domain object instance subject of a method invocation.

So as I understand we have ACL approach in order to distinguish objects access of the same class for different users - but I have different objects of different classes - i.e. services, so, as I understand, I cannot use this approach.

Also I have looked at IBM article

They write that I may hook interceptor to my object.
As I understand I may hook interceptor for each my service and check permissions (view, edit, delete ...) in database each time during invocations - will it be right or what approach should I use?

Or may be I should consider to use other framework?

I agree. Here's the link:
subject: How to implement it with Acegi?