aspose file tools*
The moose likes Spring and the fly likes Spring Security for compartmentalized, multi-org web application Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Frameworks » Spring
Bookmark "Spring Security for compartmentalized, multi-org web application" Watch "Spring Security for compartmentalized, multi-org web application" New topic
Author

Spring Security for compartmentalized, multi-org web application

Skip Cole
Ranch Hand

Joined: Jan 05, 2001
Posts: 175

I have a web application to create online roleplays that I'm re-writing in Spring.

Currently it allows a user to log in and then see a list of all organizations that they are members of on the platform. They can then pick one section (Admin, Author, Facilitator or Player) and then enter into it. Picking the section they go into is important, because it requires a mental shift to go from thinking like an author or facilitator, etc. We want that mental shift made explicit by forcing the user to select what area they want to enter into.

Additionally, a user's permissions may be different for different organizations. So someone may be an author in Org 1, but only a player in Org 2. If they have no permissions in Org 3, then they would not even see it listed. Below is an example of what they may see after logging in:

Org 1
Author, Facilitator, Player

Org 2
Player

I am trying to implement this in Spring Security, but find it difficult. In the current application, the permissions were set after the user logged in and chose an organization and section to go into. Spring Security seems to highly lean toward loading all user permissions (authorities) at the moment of login. So now I'm considering what to do. I could chop the application into 4 different pieces and then just allow someone to only enter into one of those for one organization. But I'd rather keep it one platform, and have the user select the section they are entering after logging in at the one (and only one) login page.

Any thoughts?

Thanks,
Skip



If you love me, you will visit docs.opensimplatform.org
(FYI, Getting it tattooed on is a bit much.)
Mark Spritzler
ranger
Sheriff

Joined: Feb 05, 2001
Posts: 17257
    
    6

Spring Security is customizable and also allows authorization to a very fine grained way, and also in a dynamic way.

Look at the documentation under things like ACL and Voters. You could implement your own Voter and that looks up the data and returns a boolean at runtime if they should be allowed through.

Another approach is using Spring Expression Language and Spring Security annotations like @PreAuthorize and @PostAuthorize.

Good Luck

Mark


Perfect World Programming, LLC - Two Laptop Bag - Tube Organizer
How to Ask Questions the Smart Way FAQ
Skip Cole
Ranch Hand

Joined: Jan 05, 2001
Posts: 175
Thanks Mark.

I'm starting to think now that for now I may just move to having one organization and database per application installation. That would simplify this a lot, and simple is good.
This is going to be a cloud based application this time, and so having a new URL and database to shoot to on demand may not be that hard to pull off. (Skip says naively.)

I have to admit, I keep reading about how flexible Spring Security is, but then when I try to do anything with it (like change the authorities on a user after they have logged in) I run up against problems. It probably is time to simplify.

Thanks again for the leads you gave me. Someday they may come in very handy.

Best,
Skip
Bill Gorder
Bartender

Joined: Mar 07, 2010
Posts: 1666
    
    7

You need to introduce groups.

Groups are basically a layer of indirection between users and GrantedAuthority declarations by grouping the GrantedAuthority into logical sets. In this way users can be assigned to one or more groups, these groups allow you to deal with the scenario where there are overlapping roles between groups.


[How To Ask Questions][Read before you PM me]
Mark Spritzler
ranger
Sheriff

Joined: Feb 05, 2001
Posts: 17257
    
    6

Bill Gorder wrote:You need to introduce groups.

Groups are basically a layer of indirection between users and GrantedAuthority declarations by grouping the GrantedAuthority into logical sets. In this way users can be assigned to one or more groups, these groups allow you to deal with the scenario where there are overlapping roles between groups.


Yes I think Groups can help with Org1, 2, 3. But when you get to data driven security you have to go deeper.

Here is an article I wrote a while ago at The Server Side about customizing your user and userDetailsService

http://www.theserverside.com/tip/-Spring-Security-Customizing-Your-User-and-Authorization-in

Mark
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Spring Security for compartmentalized, multi-org web application