Ben, thanks for the reply. I was not able to find your post on "subscriber-specific GrantedAuthority". Basd on what you described, looks like it will not work in my case because the user can switch workspace after logging in. I think the GrantedAuthorities are only assigned when the user is logging in.
Yes, the "workspace" is just a param you pass in to the serice. Writing a custom AccessDecisionVoter definitely will work, but I lose all the built-in support for role-based access decision. I thing I can think of is to change the GrantedAuthorities dynamically for every request based on which workspace the user is trying to access. Will this work? - Hao --- Ben Alex <[EMAIL PROTECTED]> wrote: > Hao Chen wrote: > > I have a use case that requires role-based > > authorization, but the user's role is > > is based on the access context. Roles are assigned > to > > user based on the "workspace" the user is > accessing. > > For example, a user may have role X in > > workspace A, but may have role Y in "workspace" B. > I > > think many systems may have similar concepts. I > know > > ACL would work for this, but I just wonder whether > > Acegi has any built-in tools for handling such > > scoped-roles easily. Or is there any suggested > > apporach for this use case. > > > If you search for my posts on the forums, I have > discussed > subscriber-specific GrantedAuthority[]s. In an ASP > deployment, you may > have a SubscriberThreadLocal, which has a subscriber > number. Then your > UserDetailsService looks at the active SubscriberId, > and only adds roles > which the principal has for that SubscriberId. Your > workspace notion > may, however, be more related to an argument passed > to a services layer > method. In that situation you're better off having a > custom > GrantedAuthority returned by your > UserDetailsService, and a custom > AccessDecisionVoter that knows how to process that > custom > GrantedAuthority. The exact approach depends on what > you're trying to > achieve. > > Cheers > Ben > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a > groundbreaking scripting language > that extends applications into web and mobile media. > Attend the live webcast > and join the prime developer group breaking into > this new coding territory! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 > _______________________________________________ > Home: http://acegisecurity.org > Acegisecurity-developer mailing list > Acegisecurity-developer@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 _______________________________________________ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer