Geek Answers Handbook

Recommendations for modeling user restrictions in webapp?

I am creating a role-based access control webapp using Acegi (Spring) security. Therefore, I have different users with roles: ROLE_ADMIN , ROLE_USER , etc.
However, I need to implement various user restrictions.

Consider an example:

Suppose there is a site where users can watch movies online. There are users with the roles ROLE_STANDARD_USER and ROLE_VIP_USER . Standard users can watch 3 films a week, and vip users can watch 10 films a week and have some other privileges. And there is one user in the standard user group to whom I want to provide an additional 2 films per week. The number of permitted films can sometimes vary.
In addition, there are various categories of films: fantasy, comedy, classic, new films, etc. And I want some users, regardless of their role, to have access only to certain categories. Categories can be created and deleted dynamically.

Are there any standard methods for implementing this type of user restriction?
Can / should be done with Spring Security Roles and Permissions?
Or do I need to think about adding a rule-based mechanism to my application?

Thanks.

Edit:
The above example is fictitious, my project is related to providing remote access to various network (and other) equipment for students. However, the types of user restrictions are likely to be the same.
Unfortunately, the Model for user access and restrictions is not complete and stable. In the near future, I may need to implement various additional restrictions for users who are not yet known.
Therefore, I would like to choose a path that will facilitate the addition or change of new user restrictions in the future and will not require a significant revision of the internal model or database structure. If at all possible.

Edit 2

Currently, the main user restrictions are hard-coded (left over from the prototyping system). I assume that first I will try to reformat it first to some parameterized business service objects, and then think about where I can go from there. I will also consider using Spring Security Authorization Solution Managers.

Thanks for all the suggestions!

+4
source share
5 answers

I would not expect a role-based declarative security system to give the small-scale control you are looking for. You have already described a lot of business-based access control rules that you want to implement, and over time we could expect these rules to become more complex. Thus, you need a combination of information from the security subsystem (who is the user of this request, what roles they have), but then programmatically combines this with business data and rules (this user has the right to 2 free films, if today is in this range).

At the very least, I would define the services in which I encapsulate this business logic. The decision about whether to use a full-fledged rule engine needs further study.

+4
source

Before asking yourself, Acegi (or rule-engine, etc.) is the right place for this, I think you need to analyze your needs accurately and completely .

Given each topic (for example, movie restrictions that you can see), there are a huge number of ways to implement this, and you need to make a functional choice. There can be no correct implementation if you have not already decided on the details of what needs to be done!

Example Model for your needs:

  • Limit the number of shared films per week according to the amount of :
    • role (3 or 10)
    • bonus for each user (default 0 if not specified)
  • Update these numbers if necessary.
  • Limit movies to the list of categories:
    • if the list is specified for the user, use it
    • otherwise use the list provided for the role

This example has many consequences, which may be correct or unacceptable in your case.
Effects:

  • after updating the number, the limit changes immediately.
  • there is no memory of weekly restrictions, you cannot ask for it in the past (for example, to create statistics)
  • ...

Assuming this model does not fit your needs, you are faced with the difficult task of creating a model that really suits them. Only when you have it, think about implementation.

+1
source

If you consider Spring Security, this is one way to see how you can implement your solution. AccessDecisionVoter to decide on user access. Take a look at the source here

Also look at [javadoc] [2] for AccessDecisionVoter . You can implement your rules by implementing the vote method.

 int vote(Authentication authentication, Object object, ConfigAttributeDefinition config)

Let Spring handle access (authentication and authorization). If the decision becomes complicated, using a rule engine may be reasonable. Let the voting method invoke the rule engine. This provides a clear separation of duties. Let Spring Security handle the access, and let the rule engine compute the rules.

[2]: http://static.springsource.org/spring-security/site/apidocs/org/springframework/security/vote/AccessDecisionVoter.html#vote(org.springframework.security.Authentication , java.lang.Object, org.springframework.security.ConfigAttributeDefinition)

+1
source

It looks like you have authentication needs and authorization needs - many times people get two confused and / or join. Fortunately, Spring Security outlines the two very well. You will authenticate through the security chain (be it in the form of logj, openID, SSL X509), and then after you do this, log in with your specific users (in your AccessDecisionManagers) to find out if they have seen their allocated number films. If new business logic needs to be added later, it is simply a matter of writing new / more voters and entering them into your Manager.

0
source

More articles:


All Articles