Acegi Plugin

Implement domain instance authorization

Details

  • Type: New Feature New Feature
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Won't Fix
  • Affects Version/s: Grails-Acegi 0.4.1
  • Fix Version/s: None
  • Component/s: None
  • Labels:
    None

Description

Probably can't use Spring Security's ACLs because of Hibernate. For example if a user can see an Organization and Organization has a collection of Departments, some of which the user can't see, you can't just remove the denied instances from the collection since it'll permanently remove them from the collection. Need to look at filters, which are very limited in general but might help here. Also look at using event listeners and/or an interceptor.

Another option is to use metaclass and/or AOP and throw exceptions, but that's a little harsh.

Attachments

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Phillip Merensky added a comment -

Hello Burt and others.
I attached my implementation (based on Stephan February's work for plugin version 0.3) of Spring Security ACLs within the acegi plugin 0.5.1. To prevent naming confusions I renamed the plugin to spring-security plugin.

A brief description of the functionality and configuration possibilities can be found here
http://imagesiteproject.wordpress.com/2009/09/24/integration-of-spring-security-into-grails-plugin-approach-3/ .

The plugin should work as expected apart from the three following known issues:

  • Access denied exception is not correctly wrapped at the moment although AccessDeniedHandler is configured (This however can be solved in userspace with a custom error page)
  • 'grails run-app' does not work with security calls, 'grails run-war' does
  • When using MySQL, InnoDB dialect must be configured

If questions remain, feel free to contact me. However, as I am quite busy at the moment, answers may take some time.

Hope this helps somebody
Regards,
Phillip

Show
Phillip Merensky added a comment - Hello Burt and others. I attached my implementation (based on Stephan February's work for plugin version 0.3) of Spring Security ACLs within the acegi plugin 0.5.1. To prevent naming confusions I renamed the plugin to spring-security plugin. A brief description of the functionality and configuration possibilities can be found here http://imagesiteproject.wordpress.com/2009/09/24/integration-of-spring-security-into-grails-plugin-approach-3/ . The plugin should work as expected apart from the three following known issues:
  • Access denied exception is not correctly wrapped at the moment although AccessDeniedHandler is configured (This however can be solved in userspace with a custom error page)
  • 'grails run-app' does not work with security calls, 'grails run-war' does
  • When using MySQL, InnoDB dialect must be configured
If questions remain, feel free to contact me. However, as I am quite busy at the moment, answers may take some time. Hope this helps somebody Regards, Phillip
Hide
Permalink
Phillip Merensky added a comment -

Plugin was tested with grails version 1.1 .

Show
Phillip Merensky added a comment - Plugin was tested with grails version 1.1 .
Hide
Permalink
John Adelus added a comment -

I am very interested in leveraging this work.

Have there been any further developments?

Thanks

John

Show
John Adelus added a comment - I am very interested in leveraging this work. Have there been any further developments? Thanks John
Hide
Permalink
Burt Beckwith added a comment -

Please see http://burtbeckwith.com/blog/?p=287 for a writeup and download of an updated plugin based on work I did integrated with Phillip's work.

Show
Burt Beckwith added a comment - Please see http://burtbeckwith.com/blog/?p=287 for a writeup and download of an updated plugin based on work I did integrated with Phillip's work.
Hide
Permalink
John Adelus added a comment -

Thanks Burt. I'll check it out.

John

Show
John Adelus added a comment - Thanks Burt. I'll check it out. John
Hide
Permalink
Miguel Pastor added a comment -

Hi guys,

Are you still working on it? I have added ACL support to grails-acegi some time ago.

I attach my approach (i am still working on it but it is working on Grails 1.2.1 ).

I would like to help/contribute yours on building an stable version.

Regards,

Migue

PD: Sorry about my english

Show
Miguel Pastor added a comment - Hi guys, Are you still working on it? I have added ACL support to grails-acegi some time ago. I attach my approach (i am still working on it but it is working on Grails 1.2.1 ). I would like to help/contribute yours on building an stable version. Regards, Migue PD: Sorry about my english
Hide
Permalink
Miguel Pastor added a comment -

The previous attachment was not correct.

Show
Miguel Pastor added a comment - The previous attachment was not correct.
Hide
Permalink
Miguel Pastor added a comment -

Hi again guys,

I was thinking that would be nice if ACL logic creation were in the application and not in the plugin. (i consider this logic is application specific). The application i am developing currently creates three different ACL on every domain entity to protect:

  • an ACL to authorize the owner (really the company of the user) of the object
  • an ACL to authorize a specific ROLE (ROLE_ANALYST)
  • an ACL to authorize another specific ROLE (ROLE_ADMIN)

Two different approach have come to my mind (i have implemented the two):

  • Two closures defined on SecurityConfig. This closures will be injected on domain class events (beforeDelete and afterInsert). On this way we leverage the specific logic ACL creation to the application.
  • By convention, the application defines a bean with to methods (established by convention too). In this case, the injected code would retrieve the bean from the context and execute the methods on the bean configured by the application.

Additionally, i have modified the plugin in order to allow a configurable class SID (actually it uses PrincipalSid). This is a nice feature in multitenant environments where company is really the owner of the objects (in my current application all users in a company have read/write access to all objects in it)

I attach a project with the code.

Regards,

Migue

Show
Miguel Pastor added a comment - Hi again guys, I was thinking that would be nice if ACL logic creation were in the application and not in the plugin. (i consider this logic is application specific). The application i am developing currently creates three different ACL on every domain entity to protect:
  • an ACL to authorize the owner (really the company of the user) of the object
  • an ACL to authorize a specific ROLE (ROLE_ANALYST)
  • an ACL to authorize another specific ROLE (ROLE_ADMIN)
Two different approach have come to my mind (i have implemented the two):
  • Two closures defined on SecurityConfig. This closures will be injected on domain class events (beforeDelete and afterInsert). On this way we leverage the specific logic ACL creation to the application.
  • By convention, the application defines a bean with to methods (established by convention too). In this case, the injected code would retrieve the bean from the context and execute the methods on the bean configured by the application.
Additionally, i have modified the plugin in order to allow a configurable class SID (actually it uses PrincipalSid). This is a nice feature in multitenant environments where company is really the owner of the objects (in my current application all users in a company have read/write access to all objects in it) I attach a project with the code. Regards, Migue
Hide
Permalink
Burt Beckwith added a comment -

Implemented in the ACL plugin

Show
Burt Beckwith added a comment - Implemented in the ACL plugin

People

Vote (4)
Watch (6)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.1#660-r161644) | Report a problem
Powered by a free Atlassian JIRA open source license for Grails project. Try JIRA - bug tracking software for your team.