0

My requirement is the following: We have an application that uses roles lets said (ADMIN/USER/GUEST), depending on the role they can access to different sections on the application. However in an specific section, some of them can see some actions/options/buttons/tabs, it means for two ADMIN users, the configuration of the screen and available option could be different.

I was reading about DomainACL in spring security and spring-security permissions, I believe use DomainACL is not what I need to cover this requirement as I don't need to have object granular security.

My question is there is specific out-of-the box feature of spring-security that can solve this requirement that I don't know, taking in consideration that I need to add some java tags in the jsp to remove buttons/controls from the UI. Other question is : permissions without DomainACL will be enough to solve this requirement or I am missing something.

Basically I need to save actions that can be executed for some users + the role of the users, lets said that I want to store in the database the permissions as "EXECUTE SEARCH", "VIEW_USER_TAB".

  • ADMIN / peter / "EXECUTE SEARCH", "VIEW_USER_TAB"
  • ADMIN / sarah / "EXECUTE SEARCH"
  • USER / john / "VIEW_USER_TAB"

I'm using spring-security3.2 and jsp pages as my view technology.

Koitoer
  • 18,778
  • 7
  • 63
  • 86
  • Those aren't any different then `ROLE_ADMIN` or `ADMIN`. They are authorities and they are basically the same. You can just assign them and put a security tag around the button. – M. Deinum Jun 03 '15 at 20:30
  • but what about hasPermission and hasRole, I can use both indifferent, I would like to use hasPermission("ACTION") in the spring tags, that will work also ? – Koitoer Jun 03 '15 at 20:39
  • 1
    `hasPermission` and `hasRole` are the same, difference is that `hasPermission` prefix with `ROLE_` depending on what you have set as the prefix to use. – M. Deinum Jun 04 '15 at 06:02

1 Answers1

0

I did ROLES and OPERATION in my Application. Look at this answer, it helped me: Difference between Role and GrantedAuthority in Spring Security

Basically what the article said is there is no difference between roles and permissions both are granted authorities and need to be placed in top of the security context to be able to manage the access to the different resources. Use hasRole or hasPermission is just only about specify something that is more readable for the developer, but both operates analyzing the granted authorities domain.

Community
  • 1
  • 1
Matt Bearson
  • 228
  • 5
  • 19