Matthew E.Porter wrote:
Greetings. I am looking for some guidance on the ACL system and how
to integrate it into our application. Furthermore, I plan to get the
second article out for Javalobby within the next week or two. Any
help is appreciated.
In our application, we define domains (i.e. companies). Objects of
different types belong to each domain. For example, each domain has a
set of servers assigned to it. In addition, there is a set of users
assigned to the domain. For example, the Contegix domain contains
Server1, Server2, and Server17. Each domain has one or more
administrators which should have unrestricted access to any object
tied to the domain. Furthermore, domains can be nested.
As I am trying to get my head wrapped around the ACL system in Acegi,
I am having difficulties finding the best way to apply permissions and
restrictions.
Cheers,
Matthew
Hi Matthew
As per our Skype session (for the benefit of the list archives):
The most important thing is to ensure your real domain object model
has a map generated in acl_object_identity, so the ACL services know
about the relationships. The most convenient way to build and maintain
this map is via your services layer methods (eg
DomainManager.create(Domain)) calling a BasicAclExtendedDao
implementation. The included implementation, JdbcExtendedDaoImpl, will
probably do the trick. Your services layer create and delete methods
just call the corresponding BasicAclExtendedDao methods as your domain
object instances are created and deleted.
With your particular object model, you'd be best off having a single
users database. Thus you can use LDAP or CAS etc in the future. Users
therefore sign up with the service provider and get added to the
single users database. You'd create a root top level
acl_object_identity, which you assign the service provider's
administrative users against. Every Domain then uses either that top
level root as its parent, or another Domain. Thus your service
provider administrative users have proper, default access to every
Domain. Servers use a Domain as their parent (only so far as the
acl_object_identity is concerned - your actual domain object model and
its ORM mapping is a matter of your choice).
You can then write a separate acl administration use case which deals
with giving customers (from your single users database) access to the
appropriate acl_object_identity. Again, a BasicAclExtendedDao
implementation is your friend and will automate interaction with the
backend ACL database.
Hope this helps.
Ben
---
SF email is sponsored by - The IT Product Guide
Read honest candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
___
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer