1

I'm having I think a design problem. I'm starting to need to implement method-based security to ensure my users don't try anything funny.

I have users "owning" a certain business object who can add other users "owning" children of this business object. What I'd like is to check that the user trying to create the new user is indeed the owner of the father of the object for which the new user will be added.

It's not very clear, but here is my question: is it a very bad design when it means that I need to query my database to check for things in a PermissionEvaluator ? And if not, is it even possible ? I can't seem to be able to inject Spring components (@Service beans for exemple) in a PermissionEvaluator used by a SpEL @PreAuthorize rule.

Pierre
  • 853
  • 9
  • 21
  • Why don't you try Spring role-based security? Especially since you're already using Spring. Why write your own? http://projects.spring.io/spring-security/ – duffymo Feb 13 '14 at 21:53
  • Well I already use role-based security, but the roles are not finely-grained for some uses. For exemple, my users have the CAN_ADD_USER permission in their role, but it does not prevent them from adding users linked to business objects they don't own. I need to first check that they indeed are allowed to do the operation AND that they can do the operation on THAT object, do you see what I mean ? I'm also trying to avoid using ACL-based security that would solve everything apparently at some costs I'd like to avoid if possible. – Pierre Feb 13 '14 at 21:57

1 Answers1

1

To determine permissions on the fly based on database tables, spring security ACL is the safest choice. But as an alternative, you can create a custom access decision manager that has a custom voter that queries the database.

Check this answer for an example, in your case you would need a unanymous based access decision voter, with an AuthenticatedVoter to check that the user is logged in and a custom DBPermissionsVoter to decide if the user has permissions based on reference data.

The voters are spring beans, so you can inject any DAOs or services you need in them.

Community
  • 1
  • 1
Angular University
  • 42,341
  • 15
  • 74
  • 81