Hi,
I'm using the spring framework on a project -- from spring's MVC front end,
to the AOP. And I've got hibernate as the persistence backing. I like how
acegi integrates well into the spring framework. But I just have a a
question about how I can use acegi to acheive the security model of my given
situation.
My security model has knowledge about Users, Groups, Roles, and Permissions.
It breaks down as such:
1. Permission defines what can be done on Resources (Data, execution of
services, etc).
a. For example: Edit User, Add User, Delete User.
2. Roles are sets of Permissions.
a. For example, User Administrators have permission to Edit User,
Add User, Delete User.
3. User belong to any number of Groups with given Roles.
a. A user in a group can have multiple roles for that group.
b. A user can be in multiple groups, each with different sets of
roles.
c. For example, I can be a User Administrator in the ABC Group, and
be a Normal User in XYZ Group.
Thus, I can only Edit/Add/Delete users that belong to the ABC Group.
Users are created under an original group even those the user can be
members of multiple groups.
So, that user "belongs" to the original group.
d. Another example, Users can have various permissions to
create/edit/publish documents in different groups.
Access check flow (first to last) on an HTTP request:
1. HTTP Check
a. URL (eg. http://foo.com/A vs http://foo.com/B)
b. Method (eg. GET vs POST)
3. Service Class (eg. Can the user access service class com.foo.myApp1 vs
com.foo.myApp2).
4. Service Object Instance (ie. Can the user access a given Spring Bean?)
5. Service Method (eg. bean.foo() vs bean.bar() ).
6. Service Object Method (eg. Spring Bean with id "myBean", myBean.foo() vs
otherBean.foo() ).
7. Data Object used by the Service Object. (eg. Can a user edit an image
that belongs to Group X?).
User u;
MyObject myObject;
if(acl.hasAccess(myObject.getPermission(), myObject.getGroup()) ==
true) {
// do some stuff, like print out myObject.getLink()
}
I recall that the above (1-7) can be supported with Acegi as it currently
is, but can anyone enlighten me on how (and if) Acegi can support them with
the User/Group/Roles/Permissions concept?
Thanks,
Benjamin
-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
_______________________________________________
Acegisecurity-developer mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
