Win a copy of Learn Spring Security (video course) this week in the Spring forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Spring Security for compartmentalized, multi-org web application

 
Skip Cole
Ranch Hand
Posts: 177
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

I have a web application to create online roleplays that I'm re-writing in Spring.

Currently it allows a user to log in and then see a list of all organizations that they are members of on the platform. They can then pick one section (Admin, Author, Facilitator or Player) and then enter into it. Picking the section they go into is important, because it requires a mental shift to go from thinking like an author or facilitator, etc. We want that mental shift made explicit by forcing the user to select what area they want to enter into.

Additionally, a user's permissions may be different for different organizations. So someone may be an author in Org 1, but only a player in Org 2. If they have no permissions in Org 3, then they would not even see it listed. Below is an example of what they may see after logging in:

Org 1
Author, Facilitator, Player

Org 2
Player

I am trying to implement this in Spring Security, but find it difficult. In the current application, the permissions were set after the user logged in and chose an organization and section to go into. Spring Security seems to highly lean toward loading all user permissions (authorities) at the moment of login. So now I'm considering what to do. I could chop the application into 4 different pieces and then just allow someone to only enter into one of those for one organization. But I'd rather keep it one platform, and have the user select the section they are entering after logging in at the one (and only one) login page.

Any thoughts?

Thanks,
Skip


 
Mark Spritzler
ranger
Sheriff
Posts: 17278
6
IntelliJ IDE Mac Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Spring Security is customizable and also allows authorization to a very fine grained way, and also in a dynamic way.

Look at the documentation under things like ACL and Voters. You could implement your own Voter and that looks up the data and returns a boolean at runtime if they should be allowed through.

Another approach is using Spring Expression Language and Spring Security annotations like @PreAuthorize and @PostAuthorize.

Good Luck

Mark
 
Skip Cole
Ranch Hand
Posts: 177
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Mark.

I'm starting to think now that for now I may just move to having one organization and database per application installation. That would simplify this a lot, and simple is good.
This is going to be a cloud based application this time, and so having a new URL and database to shoot to on demand may not be that hard to pull off. (Skip says naively.)

I have to admit, I keep reading about how flexible Spring Security is, but then when I try to do anything with it (like change the authorities on a user after they have logged in) I run up against problems. It probably is time to simplify.

Thanks again for the leads you gave me. Someday they may come in very handy.

Best,
Skip
 
Bill Gorder
Bartender
Posts: 1682
7
Android IntelliJ IDE Linux Mac OS X Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You need to introduce groups.

Groups are basically a layer of indirection between users and GrantedAuthority declarations by grouping the GrantedAuthority into logical sets. In this way users can be assigned to one or more groups, these groups allow you to deal with the scenario where there are overlapping roles between groups.
 
Mark Spritzler
ranger
Sheriff
Posts: 17278
6
IntelliJ IDE Mac Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bill Gorder wrote:You need to introduce groups.

Groups are basically a layer of indirection between users and GrantedAuthority declarations by grouping the GrantedAuthority into logical sets. In this way users can be assigned to one or more groups, these groups allow you to deal with the scenario where there are overlapping roles between groups.


Yes I think Groups can help with Org1, 2, 3. But when you get to data driven security you have to go deeper.

Here is an article I wrote a while ago at The Server Side about customizing your user and userDetailsService

http://www.theserverside.com/tip/-Spring-Security-Customizing-Your-User-and-Authorization-in

Mark
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic