Granny's Programming Pearls
"inside of every large program is a small program struggling to get out"
JavaRanch.com/granny.jsp
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Tim Cooke
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Knute Snortum
  • paul wheaton
  • Devaka Cooray
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Ron McLeod
  • Piet Souris
  • Ganesh Patekar
Bartenders:
  • Tim Holloway
  • Carey Brown
  • salvin francis

Spring Security - How to change user roles dynamically?

 
Ranch Hand
Posts: 96
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all,

I have a question about changing role dynamically in runtime. Suppose that we have a social network application (like Facebook) and we are using Spring security for authentication/authorization purpose.
When a person open his Homepage this person has the ADMIN role and can do everything with his Homepage. However, when he is visiting another friend's Homepage he should only have the role USER which can only do some restricted actions (he cannot delete posts in the Homepage of his friend, for example).
If we use AuthenticationManagerBuilder then we can only set one fixed role for each user.

Can anyone help me with this question?

Thank you.
 
Bartender
Posts: 21000
128
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Swerrgy Smith wrote:
If we use AuthenticationManagerBuilder then we can only set one fixed role for each user.



I never got into the details of Spring Security, but one of the things Spring security can do is leverage off of other security systems. In particular, it can work in conjunction with role-based access control in J2EE, and J2EE RBAC most definitely allows a user to have more than one role defined for a user.

However, I'm not sure that you really want to change security dynamically anyway. As a matter of fact, in J2EE, changes to a user's role set can only take effect by logging the user out and back in again. That's to prevent possible security issues that could be exploited while a user is transitioning roles. There is. after all, no role-modification API for J2EE security.

For something like whether or not you can edit a FaceBook page, you'd usually simply test to see if the page belonged to the user or to someone else and display the appropriate buttons. To further enhance security, you'd check again on any update requests, just to make sure no one had built a false change request.

In the case of a community system, where some assets belonged to more than one user, you could check for not only ownership (presumably the community administrator(s)), but also for community (group) membership.
 
Yeast devil! Back to the oven that baked you! And take this tiny ad too:
create, convert, edit or print DOC and DOCX in Java
https://products.aspose.com/words/java
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!