Hi Patrick > Question 1: > I would like to implement security over NT using acegi. > I have access to the currently logged user (username, SID, > group names, group SIDs). So the authentication has nothing > to do except gathering the informations (the authentication > has been done when logging in NT). I will transform the groups > to GrantedAuthority and set accesses on my business objects using > these. > > What is the better way to do this ? > Which interfaces do I have to implement ?
You need to do two things: 1. Present an Authentication object in a SecureContext, which is held in the ContextHolder. If you're accessing an existing NT user, I'm guessing this is a Swing application rather than a webapp, so you'll need to handle this in your application. Web applications tend to use the various packages under net.sf.acegisecurity.ui, which allows the web server to collect authentication details in various ways. 2. Ensure the Authentication object that was presented is valid in the AuthenticationManager. The easiest way of doing this would be to write an interface that implements AuthenticationManager, but you could do it at a lower layer like AuthenticationDao or AuthenticationProvider if you prefer (the reference documentation explains the differences). The AuthenticationManager (or delegate) will need to throw an exception if for some reason the Authentication object is invalid. It's up to you at what point you collect the list of NT groups and convert them to GrantedAuthoritys. It would perhaps be most efficient to do this when interfacing with the NT system whilst creating the original Authentication object. Your AuthenticationManager is then a very simple system. How to perform step 2 depends on your architecture. Is it a client-server, 2+ tier system, or a stand-along app? What is your risk factor? > Question 2: > How can I implement "dynamic" security ? > For example to allow access to the owner of an object (owner is dynamic). Any object should be able to enforce its own internal security by using ContextHolder.getContext().getAuthentication(). A preferable (more decoupled) approach would be to have an ObjectOwnerDao that includes a public Principal getOwnerOf(Object object) method. You then write an AccessDecisionVoter that detects any object passed as an argument to the secure method invocation. It would use ObjectOwnerDao to find out which principal owns the object. It would then compare that owning principal with the current calling principal and throw an exception or proceed as appropriate. There are several other ways of doing a similar thing (eg just lookup the owner from the object directly [you'd have to ensure the caller couldn't just change the principal on the object, perhaps by making the property immutable], have a different AccessDecisionVoter for each class etc). HTH Ben ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 _______________________________________________ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
