Spring Security plugin annotation issue

hi all..
          is there a way to pass a collection of authorities in the annotation  of an  action for controller like

         i want to configure authorities list  at one place say in an interface where i can collect all the authorites list
 
     then i want use there reference in the annotations of the controller.
  my interface for the authorities collection is some thing like

   public interface ModuleAuthList {

                        def w_BillingPlanAuth = [ 'Admin', 'Cbis_Oprtr', 'w_BPlan',]

                         def r_BillingPlanAuth = [ 'Admin', 'Cbis_Oprtr', 'w_BPlan','r_BPlan',]
                            ............
   }

 now i want to user this authority group in different controllers
like  

@Secured(['IS_AUTHENTICATED_REMEMBERED'])
class HomeController {

   

   @Secured(ModuleAuthList.w_BillingPlanAuth)
   def index = {
          .......  do some codes....
    }

or is there other alternatives ways to collect authorities at one place and use them at other codes stuff in order to prevent redundancy and consistancy issues


thanks in advance!!

hi any solution to this

hi Grails !!
                 still waiting to have the solution
                how can we pass a collection to springsecurity service in controllers annotations

still looking for some alternative to pass collection of authorities declared in an interface or groovy class  to spring security wia controllers annotation

any help
thanks in advance

It doesn't seem possible, due to a limitation of annotation values for array types. The rules for valid values for annotations are pretty strict and limiting.

 

Burt 

 

Thanks Burt for the reply
                                                so what can we do if a group of controllers have same set of authorities
 do i duplicate the code  to every  annotation
and in future  if i want to restrict some of the roles  in that group of controllers than..

"so what can we do if a group of controllers have same set of authorities "

According to this [blog|http://burtbeckwith.com/blog/?cat=20] you should be able to annotate the security rules on a base class and have all your controllers that share the same rules inherit from the same base class.  You can then fine tune the rules on each of the derived classes in the future.

I wrote up a solution here: http://burtbeckwith.com/blog/?p=1398 - let me know if this works for you.

Burt

madansen wrote

Thanks Burt for the reply
                                                so what can we do if a group of controllers have same set of authorities
 do i duplicate the code  to every  annotation
and in future  if i want to restrict some of the roles  in that group of controllers than..

I have the same problem and I tackled it with another approach. Whenever I have something that requires multiple roles, I create a new "meta-role" that abstracts the collection. The meta-roles do not represent a single role in a database, but are rather just for internal application use.

As an example in your case, your could have the two meta-roles: "ROLE_META_BILLING_PLAN_R" and "ROLE_META_BILLING_PLAN_W"

Now the controller can be annotated with e.g. @Secured("ROLE_META_BILLING_PLAN_W"). The only thing that is necessary, is to hook into the mechanism that populates the roles (authorities) of the used UserDetails object. The logic can be pretty simple. After the regular authorities have been populated, you simply check if all of the necessary authorities are available and then add the respective meta-roles.

The Strings in the @Secured annotation can even be string constants (static final ROLE_META_BILLING_PLAN_R = "..."). However, this sometimes lead to compile error and I have to do a clean/compile cycle to resolve it.

Of course, the necessary meta-roles count could explode fast, depending on the requirements, but its fine for simple cases.

REMARK: It should be kept in mind, that multiple roles in the @Secured annotation are conjunct, meaning that ALL the roles need to be present. Again, this can be circumvented by using suitable meta-roles and adapt the logic to grant this meta roles.

Cheers,
Ben

Thanks Burt,
                        It realy help me.
                          And is exactly what i am expecting.  

i was having different scenario it is not necessary that user is having all these authorities i.e it mightbe possible some of the user is having only single or two auths

Burts blog http://burtbeckwith.com/blog/?p=1398 
had realy helped me