Grails › Grails User (Old Archive)

How to model permissions related to a user Role using Spring Security?

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

10 messages Options

marcopas

How to model permissions related to a user Role using Spring Security?

Hi there,

in our current application the concept of a user Role is a bit to
limited. We need a more finer grained way of identifying permissions.

Example:

User has a Role 'OPERATOR' but we need different kind of 'OPERATORS'
with settings like:
isAllowedToCreateUsers
isAllowedToCreateA
isAllowedToCreateB
...

Any idea on how to tackle/model this?

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

http://xircles.codehaus.org/manage_email

felipecao

Re: How to model permissions related to a user Role using Spring Security?

Hi, Marco, as far as I could understand from spring security, it does not support the concept of permissions.

If its not mandatory for you to use spring security, you may want to try shiro plugin. Shiro is a security framework from Apache, I've been using it for 2 years now, works fine and fits your need.

On Feb 18, 2012 11:27 AM, "Marco Pas" <[hidden email]> wrote:

Hi there,

in our current application the concept of a user Role is a bit to
limited. We need a more finer grained way of identifying permissions.

Example:

User has a Role 'OPERATOR' but we need different kind of 'OPERATORS'
with settings like:
isAllowedToCreateUsers
isAllowedToCreateA
isAllowedToCreateB
...

Any idea on how to tackle/model this?

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

http://xircles.codehaus.org/manage_email

Lauro Becker

Re: How to model permissions related to a user Role using Spring Security?

In reply to this post by marcopas

Hi Marco,

I've never used this approach yet, but I'm considering for my next projects.

Maybe this blog post can be useful: http://springinpractice.com/2010/10/27/quick-tip-spring-security-role-based-authorization-and-permissions/

Cheers.

Lauro L. V. Becker
---------------------------
Blog: http://laurobecker.wordpress.com

2012/2/18 Marco Pas <[hidden email]>

Hi there,

in our current application the concept of a user Role is a bit to
limited. We need a more finer grained way of identifying permissions.

Example:

User has a Role 'OPERATOR' but we need different kind of 'OPERATORS'
with settings like:
isAllowedToCreateUsers
isAllowedToCreateA
isAllowedToCreateB
...

Any idea on how to tackle/model this?

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

http://xircles.codehaus.org/manage_email

marcopas

Re: How to model permissions related to a user Role using Spring Security?

In reply to this post by felipecao

I am not forced to use Spring Security. The only reason why we have
chosen it is based on previous projects that worked fine with Spring
Security. So moving to another framework is not a problem but we want
to reuse existing knowledge and code, as much as possible. Thanks for
the tip! Will look into Shiro.

2012/2/18 Felipe Carvalho <[hidden email]>:

> Hi, Marco, as far as I could understand from spring security, it does not
> support the concept of permissions.
>
> If its not mandatory for you to use spring security, you may want to try
> shiro plugin. Shiro is a security framework from Apache, I've been using it
> for 2 years now, works fine and fits your need.
>
> On Feb 18, 2012 11:27 AM, "Marco Pas" <[hidden email]> wrote:
>>
>> Hi there,
>>
>> in our current application the concept of a user Role is a bit to
>> limited. We need a more finer grained way of identifying permissions.
>>
>> Example:
>>
>> User has a Role 'OPERATOR' but we need different kind of 'OPERATORS'
>> with settings like:
>> isAllowedToCreateUsers
>> isAllowedToCreateA
>> isAllowedToCreateB
>> ...
>>
>>
>> Any idea on how to tackle/model this?
>>
>> ---------------------------------------------------------------------
>> To unsubscribe from this list, please visit:
>>
>> http://xircles.codehaus.org/manage_email
>>
>>
>

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

http://xircles.codehaus.org/manage_email

marcopas

Re: How to model permissions related to a user Role using Spring Security?

In reply to this post by Lauro Becker

Hi Lauro,

Thanks for the link! I read the article and i am a bit anxious to
implement this ourselves. It would be great if Spring Security would
have the option to use a permission based flow. Maybe we have to bite
the bullet and implement it accordingly to the blogpost.

2012/2/18 Lauro Becker <[hidden email]>:

> Hi Marco,
>
> I've never used this approach yet, but I'm considering for my next projects.
>
> Maybe this blog post can be useful:
> http://springinpractice.com/2010/10/27/quick-tip-spring-security-role-based-authorization-and-permissions/
>
> Cheers.
>
> Lauro L. V. Becker
> ---------------------------
> Blog: http://laurobecker.wordpress.com
>
>
> 2012/2/18 Marco Pas <[hidden email]>
>>
>> Hi there,
>>
>> in our current application the concept of a user Role is a bit to
>> limited. We need a more finer grained way of identifying permissions.
>>
>> Example:
>>
>> User has a Role 'OPERATOR' but we need different kind of 'OPERATORS'
>> with settings like:
>> isAllowedToCreateUsers
>> isAllowedToCreateA
>> isAllowedToCreateB
>> ...
>>
>>
>> Any idea on how to tackle/model this?
>>
>> ---------------------------------------------------------------------
>> To unsubscribe from this list, please visit:
>>
>> http://xircles.codehaus.org/manage_email
>>
>>
>

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

http://xircles.codehaus.org/manage_email

Lauro Becker

Re: How to model permissions related to a user Role using Spring Security?

Would be great having this!

Perhaps Burt could share his thoughts too.

Lauro L. V. Becker
---------------------------
Blog: http://laurobecker.wordpress.com

2012/2/18 Marco Pas <[hidden email]>

Hi Lauro,

Thanks for the link! I read the article and i am a bit anxious to
implement this ourselves. It would be great if Spring Security would
have the option to use a permission based flow. Maybe we have to bite
the bullet and implement it accordingly to the blogpost.

2012/2/18 Lauro Becker <[hidden email]>:

> Hi Marco,
>
> I've never used this approach yet, but I'm considering for my next projects.
>
> Maybe this blog post can be useful:
> http://springinpractice.com/2010/10/27/quick-tip-spring-security-role-based-authorization-and-permissions/
>
> Cheers.
>
> Lauro L. V. Becker
> ---------------------------
> Blog: http://laurobecker.wordpress.com
>
>
> 2012/2/18 Marco Pas <[hidden email]>
>>
>> Hi there,
>>
>> in our current application the concept of a user Role is a bit to
>> limited. We need a more finer grained way of identifying permissions.
>>
>> Example:
>>
>> User has a Role 'OPERATOR' but we need different kind of 'OPERATORS'
>> with settings like:
>> isAllowedToCreateUsers
>> isAllowedToCreateA
>> isAllowedToCreateB
>> ...
>>
>>
>> Any idea on how to tackle/model this?
>>
>> ---------------------------------------------------------------------
>> To unsubscribe from this list, please visit:
>>
>> http://xircles.codehaus.org/manage_email
>>
>>
>

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

http://xircles.codehaus.org/manage_email

Mengu

Re: How to model permissions related to a user Role using Spring Security?

spring security plugin also has an acl plugin that can be found at http://grails.org/plugin/spring-security-acl. it has its docs at http://burtbeckwith.github.com/grails-spring-security-acl/docs/manual/index.html

2012/2/18 Lauro Becker <[hidden email]>

Would be great having this!

Perhaps Burt could share his thoughts too.

Lauro L. V. Becker
---------------------------
Blog: http://laurobecker.wordpress.com

2012/2/18 Marco Pas <[hidden email]>
Hi Lauro,

Thanks for the link! I read the article and i am a bit anxious to
implement this ourselves. It would be great if Spring Security would
have the option to use a permission based flow. Maybe we have to bite
the bullet and implement it accordingly to the blogpost.

2012/2/18 Lauro Becker <[hidden email]>:

> Hi Marco,
>
> I've never used this approach yet, but I'm considering for my next projects.
>
> Maybe this blog post can be useful:
> http://springinpractice.com/2010/10/27/quick-tip-spring-security-role-based-authorization-and-permissions/
>
> Cheers.
>
> Lauro L. V. Becker
> ---------------------------
> Blog: http://laurobecker.wordpress.com
>
>
> 2012/2/18 Marco Pas <[hidden email]>
>>
>> Hi there,
>>
>> in our current application the concept of a user Role is a bit to
>> limited. We need a more finer grained way of identifying permissions.
>>
>> Example:
>>
>> User has a Role 'OPERATOR' but we need different kind of 'OPERATORS'
>> with settings like:
>> isAllowedToCreateUsers
>> isAllowedToCreateA
>> isAllowedToCreateB
>> ...
>>
>>
>> Any idea on how to tackle/model this?
>>
>> ---------------------------------------------------------------------
>> To unsubscribe from this list, please visit:
>>
>> http://xircles.codehaus.org/manage_email
>>
>>
>

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

http://xircles.codehaus.org/manage_email

--
Muhammet S. AYDIN

http://mengu.net

http://compector.com

wilsonaikeda@gmail.com

Re: How to model permissions related to a user Role using Spring Security?

In reply to this post by Lauro Becker

You can use Spring Security ACL's

http://static.springsource.org/spring-security/site/docs/3.0.x/reference/domain-acls.html

http://grzegorzborkowski.blogspot.com/2008/10/spring-security-acl-very-basic-tutorial.html

On Feb 18, 2012, at 10:35 PM, Lauro Becker wrote:

Hi Marco,

I've never used this approach yet, but I'm considering for my next projects.

Maybe this blog post can be useful: http://springinpractice.com/2010/10/27/quick-tip-spring-security-role-based-authorization-and-permissions/

Cheers.

Lauro L. V. Becker
---------------------------
Blog: http://laurobecker.wordpress.com

2012/2/18 Marco Pas <[hidden email]>
Hi there,

in our current application the concept of a user Role is a bit to
limited. We need a more finer grained way of identifying permissions.

Example:

User has a Role 'OPERATOR' but we need different kind of 'OPERATORS'
with settings like:
isAllowedToCreateUsers
isAllowedToCreateA
isAllowedToCreateB
...

Any idea on how to tackle/model this?

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

http://xircles.codehaus.org/manage_email

dmurat

Re: How to model permissions related to a user Role using Spring Security?

In reply to this post by marcopas

If you don't want or need full-blown acls, maybe you can implement custom org.springframework.security.access.PermissionEvaluator.
I didn't try it with grails' spring security plugin yet, but it seems that it should not be a problem.

http://krams915.blogspot.com/2011/01/spring-security-simple-acl-using.html
http://krams915.blogspot.com/2011/01/spring-security-simple-acl-using_19.html

smakela

Re: How to model permissions related to a user Role using Spring Security?

In reply to this post by marcopas

There is also possibility to make role hierarchies in Spring Security Core.

So you could have:

ROLE_OPERATOR_A
ROLE_OPERATOR_B

ROLE_USER_CREATOR
ROLE_A_CREATOR
ROLE_B_CRATOR

So you could have in your config

grails.plugins.springsecurity.roleHierarchy = '''
ROLE_OPERATOR_A > ROLE_USER_CREATOR
ROLE_OPERATOR_A > ROLE_A_CREATOR
ROLE_OPERATOR_B > ROLE_USER_CREATOR
ROLE_OPERATOR_B > ROLE_B_CREATOR
'''

You could have this kind of controller:

import grails.plugins.springsecurity.Secured

class SomeController {

@Secured(['ROLE_B_CREATOR'])
def createB = {
…
}
}

At this time there is no possibility to define the hierarchy in the database, but I have opened JIRA case for that:
http://jira.grails.org/browse/GPSPRINGSECURITYCORE-163