Hi! I tried to post my question below on the forum, but either nobody knows the answer or the amount of people who knows that answer and has time to help are too limited - so I will give it a shot on the mailing list - I am not looking for an answer that will provide me with the perfect solution - just some thoughts and ideas about how to make it work using JSecurity/Ki:
I am currently working on a web project where some bright people thought: Hey, we need some authorization... ...cue ME! The Setup: The great thing about this project is, that so far we don't have any existing security model (like LDAP), so we can pretty much choose what we like. The not so brilliant thing (from a security/authorization point of view) is that we don't have a setup, where we can use the general user/role model. We have a setup where we have one central backend server - this is where the global user profiles are stored. We then have several "local" servers, each of which contains several web sites (which have their own unique URL's). A person only have one global user profile, but may have a local profile for each web site. The user may log on to any web site, where he has a local profile, and he may use his global username/password or the credentials he has for the local web site (if he uses the global username, we will look at the URL to figure out which local profile he has). Now the tricky part is the roles: - A user may have certain roles at the global level - these roles (and their permissions) are valid for all web sites he logs in to. - A user may have certain roles at the web site level - these roles are valid for the entire site (and sub-sites). - A user may have certain roles at a sub-site level - these roles are only valid for a particular subset of the website (typically a sub-URL) he is logged into. Now, the first two levels of roles can be determined at login time, but the roles that are only valid for a given sub-site, must be added/removed to the active set of roles/permissions whenever the user switches to another sub-site. The question: Now, I've looked a little at the documentation, examples and some source code of JSecurity/Ki and I am convinced that somehow we can make a solution with this - a good solution even. Unfortunately I'm no security expert, so I am struggling quite a bit, trying to figure out which classes I need replace in the default implementation with my own implementations to make this work. I figure I need to make a custom Authorizer at least, but I may also have to do my own implementations of AuthorizationInfo... Bottom line: I just don't get it - looking at the sample app, which instantiates a DefaultSecurityManager and uses Default[everything] - what do I replace to make a custom security solution, that will help me solve the scenario described above? Heeelp... Best Regards /Sune
