Implement Finer Access Control than Spring Security - Mon, 04:09 PM Sep 1 2008

Spring Security (formerly the Acegi Security System) provides a powerful role based security for web applications. The developer can limit access to certain URL patterns to specific user roles; tasks such as restricting access to an administrative page to the administrators. For fine grain access control, Spring Security also offers a set of tags to include/exclude parts of a web page based on a user's role.

The Spring Security has a major limitation however, a user's roles must be known at compile time. This severely limits the number of user roles that can exist in a web application. For example, to enable/disable some control features of a blog to its owner, the security system must recognize each blog owner. There is no way to implement this type of access control with compile time values.

I implemented an access control system that recognizes runtime user roles with Spring Security and Acegi-JSF. Web pages use the "acegijsf:authorize" JSF tags from Acegi-JSF to include/exclude contents based on the current user's roles. Here are the implementation details:

  • First step is to grant each user of the web application an unique role, for example "ROLE_[username]", in the database. This special role uniquely identifies each user to the security system.
  • Next, download the Acegi-JSF Libs, these tags are JSF components that supports value binding with managed beans. (Note: I had to modify some source code in the jar file to make acegi-jsf-1.1.3.jar work with Spring Security 2.0, mostly to change some imports.) Include the acegijsf tags to the JSF pages with the following: 

    • <%@ taglib uri="http://sourceforge.net/projects/jsf-comp/acegijsf" prefix="acegijsf" %>
  • Surround the protected contents with the following tags (they work just like the Spring Security tags!) 

    • <acegijsf:authorize ifALLGranted="">
<acegijsf:authorize ifAnyGranted="">
<acegijsf:authorize ifNotGranted="">
  • Generate the appropriate user roles dynamically with managed beans in JSF and pass those values to the Acegi-JSF tags in the web pages.





csfalcon's Blogs
CSFalconDev
GoogleSoC2008
Thoughts







Help | Disclaimer | About | Contact
Copyright © 2008 CSFalcon