We are developing an application (using Grails Spring Security (formerly Acegi)) in which we will have thousands of users that span 10-15 discrete user types. In the current system, each type of user is equated to a "group", and certain roles and permissions are associated with the group. The user gets all of his "roles" from the group.
For example, we can have two user groups:
CLOWN: role = ride_clown_car, toot_horn, receive_applause ACROBAT: role = do_flip, walk_tightrope, receive_applause
We have three users, one of which is assigned to the CLOWN group, one of which is assigned to the ACROBAT group, and the other is assigned to both (it has the union of the CLOWN and ACROBAT roles).
If we change permissions, we do it at the group level. For example, if we add the swing_on_trapeze permission to the ACROBAT group, all acrobats will automatically inherit it.
In Grails terms, permissions on controllers will still be at the role level. Thus, acting with @Secured (['toot_horn']) will allow users in the CLOWN group, but not in the ACROBAT group. @Secured (['receive_applause']) will allow you to use both CLOWNS and ACROBATS.
How would this be done in Spring Security, given the two-level nature of the model (user, role)? Do I need to implement my own authentication to collect group-based roles?
Thank!
source
share