Matthew E.Porter wrote:
Greetings. I am looking for some guidance on the ACL system and how to integrate it into our application. Furthermore, I plan to get the second article out for Javalobby within the next week or two. Any help is appreciated.
In our application, we define domains (i.e. companies). Objects of different types belong to each domain. For example, each domain has a set of servers assigned to it. In addition, there is a set of users assigned to the domain. For example, the "Contegix " domain contains Server1, Server2, and Server17. Each domain has one or more administrators which should have unrestricted access to any object tied to the domain. Furthermore, domains can be nested.
As I am trying to get my head wrapped around the ACL system in Acegi, I am having difficulties finding the best way to apply permissions and restrictions.
Cheers, Matthew
Hi Matthew
As per our Skype session (for the benefit of the list archives):
The most important thing is to ensure your "real" domain object model has a "map" generated in acl_object_identity, so the ACL services know about the relationships. The most convenient way to build and maintain this map is via your services layer methods (eg DomainManager.create(Domain)) calling a BasicAclExtendedDao implementation. The included implementation, JdbcExtendedDaoImpl, will probably do the trick. Your services layer create and delete methods just call the corresponding BasicAclExtendedDao methods as your domain object instances are created and deleted.
With your particular object model, you'd be best off having a single users database. Thus you can use LDAP or CAS etc in the future. Users therefore "sign up" with the "service provider" and get added to the single users database. You'd create a "root" top level acl_object_identity, which you assign the service provider's administrative users against. Every Domain then uses either that top level "root" as its parent, or another Domain. Thus your service provider administrative users have proper, default access to every Domain. Servers use a Domain as their parent (only so far as the acl_object_identity is concerned - your actual domain object model and its ORM mapping is a matter of your choice).
You can then write a separate "acl administration" use case which deals with giving customers (from your single users database) access to the appropriate acl_object_identity. Again, a BasicAclExtendedDao implementation is your friend and will automate interaction with the backend ACL database.
Hope this helps.
Ben
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/
_______________________________________________
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
