wood burning stoves 2.0*
The moose likes Spring and the fly likes Dynamic Spring 3 Security? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Frameworks » Spring
Bookmark "Dynamic Spring 3 Security?" Watch "Dynamic Spring 3 Security?" New topic
Author

Dynamic Spring 3 Security?

William Stephens
Greenhorn

Joined: Dec 13, 2007
Posts: 16
Can Spring 3 Security be configured to handle the following use case of dynamically created authorization?

We have static Groups and Roles to which individual users are mapped. These are created at application install.
Super Admin
Site Admin
Site Principal Investigator
Site Clinician

We have Sites that indicate the locations of work groups.
Site 1
Site 2...

As new users are added they are associated with a site and role. Our current system dynamically creates "protection elements" that will allow the user to access their site information, but not other sites. When a user attempts to perform an operation we invoke a Web Service verify permissions first.

So, can I dynamically update the security configuration to allow protection of the data elements as they are added?

Thanks,
Bill S.

Peter Mularien
Author
Ranch Hand

Joined: Sep 06, 2007
Posts: 84
Hello Bill,

Thanks for the excellent question. While the book doesn't cover a scenario that has quite this much detail, we do cover a lot of the building blocks that you'd probably need to put together to customize this type of solution.

I can try to give a more specific suggestion if you can clarify some aspects of your problem - do you access a web service every time a user attempts an action? Is "an action" mapped by URL, by business/domain object, by business method?

The general answer is, yes, you could most likely extend Spring Security to do what you're describing, but before you start, it's important to clearly understand what you are trying to accomplish, how you will verify that you've modeled the security domain correctly, and that you understand the underpinnings of Spring Security well enough to see where and how it should be extended.

Hope that answers your question and look forward to providing a more precise answer!

Peter


Author, Spring Security 3 (the Book), Packt Publishing, 2010
SCJP, OCP
William Stephens
Greenhorn

Joined: Dec 13, 2007
Posts: 16
Peter,

Thanks for your reply.

Peter Mularien wrote:
I can try to give a more specific suggestion if you can clarify some aspects of your problem - do you access a web service every time a user attempts an action? Is "an action" mapped by URL, by business/domain object, by business method?


Our UI maintains a user's Group and Role information to prevent expensive web service invocations. In the case where the user is in the correct Group or Role we invoke the service to determine if the user has appropriate permissions to access a specific instance of a business/domain objects (really a record in a DB).

Thanks,
Bill S.
Peter Mularien
Author
Ranch Hand

Joined: Sep 06, 2007
Posts: 84
Hello Bill,

It sounds like this is similar to Spring Security's ACL model, which is used to secure access to domain objects using the combination of user, membership, action, and object to make an authorization judgment. It's possible you could either adapt / extend the Spring Sec ACL model to do what you need, or see how it works behind the scenes, and build something similar using your web service-based authentication mechanism - without getting really into the weeds, it's difficult to make a recommendation, but I think one of these approaches would work.

Best,
Peter
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Dynamic Spring 3 Security?