File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Spring and the fly likes Security RBAC Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Frameworks » Spring
Bookmark "Security RBAC" Watch "Security RBAC" New topic

Security RBAC

Stephane Clinckart
Ranch Hand

Joined: Oct 21, 2003
Posts: 89

I would like to know if Spring security provide an esay way to integrate security based on a RBAC model.

- Where are stored the groups?
- Is it possible to add groups dynamicly?
- Is it possible to have "system" users?
- Where are the users stored?
- Is it possible to add users dynamicly?

If I want to secure my "datas"... with a RBAC model... what is provided by Spring Security?

How easy is it to have security based on a calendar?
--> Permission X is provided to user Y from 10 till 20 of june by exemple?

How easy is it to implement permission delegation?
--> User X has permission a, b, c and what to delegate permission c to user Y during his hollidays (from 10 to 20 of july by exemple).

Is Spring Security the right framework to achieve this kind of problems?

If yes... could you spot some samples on the net?
--> Are that kind of problems explained in your book?

Thanks a lot.

Stephane Clinckart
Peter Mularien
Ranch Hand

Joined: Sep 06, 2007
Posts: 84
Hello Stephane,

Lots of questions - I'm not sure I can answer them all directly, since a lot depends on the particular implementation constraints that you have.

In general, the part of Spring Security that you'd look to in order to implement this type of functionality is the ACL module. This module is covered in Chapter 7 of the book, although really it's complex enough (and real-world examples are typically even more so) that you could probably write hundreds of pages on ACL implementations and extensions alone. For example, much of what you describe comes out of the box, but things like the calendar-based permissions do not, and to implement this, you'd need to be comfortable enough with the Spring Sec ACL implementation to extend it to provide this functionality.

I hope that answers your question!


Author, Spring Security 3 (the Book), Packt Publishing, 2010
Pradeep bhatt
Ranch Hand

Joined: Feb 27, 2002
Posts: 8927

Can you please tell me what is RBAC model ?

Stephane Clinckart
Ranch Hand

Joined: Oct 21, 2003
Posts: 89
Pradeep bhatt wrote:Can you please tell me what is RBAC model ?

Have a look to this definition:

It will be more comprehensible than my explainations ;-)
I agree. Here's the link:
subject: Security RBAC
It's not a secret anymore!