Win a copy of 97 Things Every Java Programmer Should Know this week in the Java in General forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Paul Clapham
  • Jeanne Boyarsky
  • Junilu Lacar
  • Henry Wong
  • Ron McLeod
  • Devaka Cooray
  • Tim Cooke
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Frits Walraven
  • Tim Holloway
  • Carey Brown
  • Piet Souris
  • salvin francis
  • fred rosenberger

Spring Security - How to change user roles dynamically?

Ranch Hand
Posts: 96
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all,

I have a question about changing role dynamically in runtime. Suppose that we have a social network application (like Facebook) and we are using Spring security for authentication/authorization purpose.
When a person open his Homepage this person has the ADMIN role and can do everything with his Homepage. However, when he is visiting another friend's Homepage he should only have the role USER which can only do some restricted actions (he cannot delete posts in the Homepage of his friend, for example).
If we use AuthenticationManagerBuilder then we can only set one fixed role for each user.

Can anyone help me with this question?

Thank you.
Saloon Keeper
Posts: 22122
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Swerrgy Smith wrote:
If we use AuthenticationManagerBuilder then we can only set one fixed role for each user.

I never got into the details of Spring Security, but one of the things Spring security can do is leverage off of other security systems. In particular, it can work in conjunction with role-based access control in J2EE, and J2EE RBAC most definitely allows a user to have more than one role defined for a user.

However, I'm not sure that you really want to change security dynamically anyway. As a matter of fact, in J2EE, changes to a user's role set can only take effect by logging the user out and back in again. That's to prevent possible security issues that could be exploited while a user is transitioning roles. There is. after all, no role-modification API for J2EE security.

For something like whether or not you can edit a FaceBook page, you'd usually simply test to see if the page belonged to the user or to someone else and display the appropriate buttons. To further enhance security, you'd check again on any update requests, just to make sure no one had built a false change request.

In the case of a community system, where some assets belonged to more than one user, you could check for not only ownership (presumably the community administrator(s)), but also for community (group) membership.
no wonder he is so sad, he hasn't seen this tiny ad:
Devious Experiments for a Truly Passive Greenhouse!
    Bookmark Topic Watch Topic
  • New Topic