How to model permissions related to a user Role using Spring Security?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

How to model permissions related to a user Role using Spring Security?

marcopas
Hi there,

in our current application the concept of a user Role is a bit to
limited. We need a more finer grained way of identifying permissions.

Example:

User has a Role 'OPERATOR' but we need different kind of 'OPERATORS'
with settings like:
isAllowedToCreateUsers
isAllowedToCreateA
isAllowedToCreateB
...


Any idea on how to tackle/model this?

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|

Re: How to model permissions related to a user Role using Spring Security?

felipecao

Hi, Marco, as far as I could understand from spring security, it does not support the concept of permissions.

If its not mandatory for you to use spring security, you may want to try shiro plugin. Shiro is a security framework from Apache, I've been using it for 2 years now, works fine and fits your need.

On Feb 18, 2012 11:27 AM, "Marco Pas" <[hidden email]> wrote:
Hi there,

in our current application the concept of a user Role is a bit to
limited. We need a more finer grained way of identifying permissions.

Example:

User has a Role 'OPERATOR' but we need different kind of 'OPERATORS'
with settings like:
isAllowedToCreateUsers
isAllowedToCreateA
isAllowedToCreateB
...


Any idea on how to tackle/model this?

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

   http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|

Re: How to model permissions related to a user Role using Spring Security?

Lauro Becker
In reply to this post by marcopas
Hi Marco,

I've never used this approach yet, but I'm considering for my next projects.

Maybe this blog post can be useful: http://springinpractice.com/2010/10/27/quick-tip-spring-security-role-based-authorization-and-permissions/

Cheers.

Lauro L. V. Becker
---------------------------
Blog: http://laurobecker.wordpress.com


2012/2/18 Marco Pas <[hidden email]>
Hi there,

in our current application the concept of a user Role is a bit to
limited. We need a more finer grained way of identifying permissions.

Example:

User has a Role 'OPERATOR' but we need different kind of 'OPERATORS'
with settings like:
isAllowedToCreateUsers
isAllowedToCreateA
isAllowedToCreateB
...


Any idea on how to tackle/model this?

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

   http://xircles.codehaus.org/manage_email



Reply | Threaded
Open this post in threaded view
|

Re: How to model permissions related to a user Role using Spring Security?

marcopas
In reply to this post by felipecao
I am not forced to use Spring Security. The only reason why we have
chosen it is based on previous projects that worked fine with Spring
Security. So moving to another framework is not a problem but we want
to reuse existing knowledge and code, as much as possible. Thanks for
the tip! Will look into Shiro.

2012/2/18 Felipe Carvalho <[hidden email]>:

> Hi, Marco, as far as I could understand from spring security, it does not
> support the concept of permissions.
>
> If its not mandatory for you to use spring security, you may want to try
> shiro plugin. Shiro is a security framework from Apache, I've been using it
> for 2 years now, works fine and fits your need.
>
> On Feb 18, 2012 11:27 AM, "Marco Pas" <[hidden email]> wrote:
>>
>> Hi there,
>>
>> in our current application the concept of a user Role is a bit to
>> limited. We need a more finer grained way of identifying permissions.
>>
>> Example:
>>
>> User has a Role 'OPERATOR' but we need different kind of 'OPERATORS'
>> with settings like:
>> isAllowedToCreateUsers
>> isAllowedToCreateA
>> isAllowedToCreateB
>> ...
>>
>>
>> Any idea on how to tackle/model this?
>>
>> ---------------------------------------------------------------------
>> To unsubscribe from this list, please visit:
>>
>>    http://xircles.codehaus.org/manage_email
>>
>>
>

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|

Re: How to model permissions related to a user Role using Spring Security?

marcopas
In reply to this post by Lauro Becker
Hi Lauro,

Thanks for the link! I read the article and i am a bit anxious to
implement this ourselves. It would be great if Spring Security would
have the option to use a permission based flow. Maybe we have to bite
the bullet and implement it accordingly to the blogpost.

2012/2/18 Lauro Becker <[hidden email]>:

> Hi Marco,
>
> I've never used this approach yet, but I'm considering for my next projects.
>
> Maybe this blog post can be useful:
> http://springinpractice.com/2010/10/27/quick-tip-spring-security-role-based-authorization-and-permissions/
>
> Cheers.
>
> Lauro L. V. Becker
> ---------------------------
> Blog: http://laurobecker.wordpress.com
>
>
> 2012/2/18 Marco Pas <[hidden email]>
>>
>> Hi there,
>>
>> in our current application the concept of a user Role is a bit to
>> limited. We need a more finer grained way of identifying permissions.
>>
>> Example:
>>
>> User has a Role 'OPERATOR' but we need different kind of 'OPERATORS'
>> with settings like:
>> isAllowedToCreateUsers
>> isAllowedToCreateA
>> isAllowedToCreateB
>> ...
>>
>>
>> Any idea on how to tackle/model this?
>>
>> ---------------------------------------------------------------------
>> To unsubscribe from this list, please visit:
>>
>>    http://xircles.codehaus.org/manage_email
>>
>>
>

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|

Re: How to model permissions related to a user Role using Spring Security?

Lauro Becker
Would be great having this!

Perhaps Burt could share his thoughts too.

Lauro L. V. Becker
---------------------------
Blog: http://laurobecker.wordpress.com


2012/2/18 Marco Pas <[hidden email]>
Hi Lauro,

Thanks for the link! I read the article and i am a bit anxious to
implement this ourselves. It would be great if Spring Security would
have the option to use a permission based flow. Maybe we have to bite
the bullet and implement it accordingly to the blogpost.

2012/2/18 Lauro Becker <[hidden email]>:
> Hi Marco,
>
> I've never used this approach yet, but I'm considering for my next projects.
>
> Maybe this blog post can be useful:
> http://springinpractice.com/2010/10/27/quick-tip-spring-security-role-based-authorization-and-permissions/
>
> Cheers.
>
> Lauro L. V. Becker
> ---------------------------
> Blog: http://laurobecker.wordpress.com
>
>
> 2012/2/18 Marco Pas <[hidden email]>
>>
>> Hi there,
>>
>> in our current application the concept of a user Role is a bit to
>> limited. We need a more finer grained way of identifying permissions.
>>
>> Example:
>>
>> User has a Role 'OPERATOR' but we need different kind of 'OPERATORS'
>> with settings like:
>> isAllowedToCreateUsers
>> isAllowedToCreateA
>> isAllowedToCreateB
>> ...
>>
>>
>> Any idea on how to tackle/model this?
>>
>> ---------------------------------------------------------------------
>> To unsubscribe from this list, please visit:
>>
>>    http://xircles.codehaus.org/manage_email
>>
>>
>

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

   http://xircles.codehaus.org/manage_email



Reply | Threaded
Open this post in threaded view
|

Re: How to model permissions related to a user Role using Spring Security?

Mengu
spring security plugin also has an acl plugin that can be found at http://grails.org/plugin/spring-security-acl. it has its docs at http://burtbeckwith.github.com/grails-spring-security-acl/docs/manual/index.html 

2012/2/18 Lauro Becker <[hidden email]>
Would be great having this!

Perhaps Burt could share his thoughts too.


Lauro L. V. Becker
---------------------------
Blog: http://laurobecker.wordpress.com


2012/2/18 Marco Pas <[hidden email]>
Hi Lauro,

Thanks for the link! I read the article and i am a bit anxious to
implement this ourselves. It would be great if Spring Security would
have the option to use a permission based flow. Maybe we have to bite
the bullet and implement it accordingly to the blogpost.

2012/2/18 Lauro Becker <[hidden email]>:
> Hi Marco,
>
> I've never used this approach yet, but I'm considering for my next projects.
>
> Maybe this blog post can be useful:
> http://springinpractice.com/2010/10/27/quick-tip-spring-security-role-based-authorization-and-permissions/
>
> Cheers.
>
> Lauro L. V. Becker
> ---------------------------
> Blog: http://laurobecker.wordpress.com
>
>
> 2012/2/18 Marco Pas <[hidden email]>
>>
>> Hi there,
>>
>> in our current application the concept of a user Role is a bit to
>> limited. We need a more finer grained way of identifying permissions.
>>
>> Example:
>>
>> User has a Role 'OPERATOR' but we need different kind of 'OPERATORS'
>> with settings like:
>> isAllowedToCreateUsers
>> isAllowedToCreateA
>> isAllowedToCreateB
>> ...
>>
>>
>> Any idea on how to tackle/model this?
>>
>> ---------------------------------------------------------------------
>> To unsubscribe from this list, please visit:
>>
>>    http://xircles.codehaus.org/manage_email
>>
>>
>

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

   http://xircles.codehaus.org/manage_email






--
Muhammet S. AYDIN
Reply | Threaded
Open this post in threaded view
|

Re: How to model permissions related to a user Role using Spring Security?

wilsonaikeda@gmail.com
In reply to this post by Lauro Becker
You can use Spring Security ACL's

http://static.springsource.org/spring-security/site/docs/3.0.x/reference/domain-acls.html
http://grzegorzborkowski.blogspot.com/2008/10/spring-security-acl-very-basic-tutorial.html

On Feb 18, 2012, at 10:35 PM, Lauro Becker wrote:

Hi Marco,

I've never used this approach yet, but I'm considering for my next projects.

Maybe this blog post can be useful: http://springinpractice.com/2010/10/27/quick-tip-spring-security-role-based-authorization-and-permissions/

Cheers.

Lauro L. V. Becker
---------------------------
Blog: http://laurobecker.wordpress.com


2012/2/18 Marco Pas <[hidden email]>
Hi there,

in our current application the concept of a user Role is a bit to
limited. We need a more finer grained way of identifying permissions.

Example:

User has a Role 'OPERATOR' but we need different kind of 'OPERATORS'
with settings like:
isAllowedToCreateUsers
isAllowedToCreateA
isAllowedToCreateB
...


Any idea on how to tackle/model this?

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

   http://xircles.codehaus.org/manage_email




Reply | Threaded
Open this post in threaded view
|

Re: How to model permissions related to a user Role using Spring Security?

dmurat
In reply to this post by marcopas
If you don't want or need full-blown acls, maybe you can implement custom org.springframework.security.access.PermissionEvaluator.
I didn't try it with grails' spring security plugin yet, but it seems that it should not be a problem.

http://krams915.blogspot.com/2011/01/spring-security-simple-acl-using.html
http://krams915.blogspot.com/2011/01/spring-security-simple-acl-using_19.html
Reply | Threaded
Open this post in threaded view
|

Re: How to model permissions related to a user Role using Spring Security?

smakela
In reply to this post by marcopas
There is also possibility to make role hierarchies in Spring Security Core.

So you could have:

ROLE_OPERATOR_A
ROLE_OPERATOR_B

ROLE_USER_CREATOR
ROLE_A_CREATOR
ROLE_B_CRATOR

So you could have in your config

grails.plugins.springsecurity.roleHierarchy = '''
ROLE_OPERATOR_A > ROLE_USER_CREATOR
ROLE_OPERATOR_A > ROLE_A_CREATOR
ROLE_OPERATOR_B > ROLE_USER_CREATOR
ROLE_OPERATOR_B > ROLE_B_CREATOR
'''

You could have this kind of controller:

import grails.plugins.springsecurity.Secured

class SomeController {

   @Secured(['ROLE_B_CREATOR'])
   def createB = {
      …
   }
}

At this time there is no possibility to define the hierarchy in the database, but I have opened JIRA case for that:
http://jira.grails.org/browse/GPSPRINGSECURITYCORE-163