HomeSupportForumsCoreAuthorization

Instance level security on domain objects

Thu, 03/27/2008 - 8:11am — mjhugo

I'd like to do some access level control on instances of my domain classes...e.g. a Book instance has an owner and I want to make sure that no one has access to that instance of the book besides the assigned owner. Is there a way to do this with JSecurity? Could you point me towards the appropriate classes I would use (or an example if one exists)? Thanks!!

‹ Domain-based authorization Grails plugin, is something wrong in my permission configuration? ›
Thu, 03/27/2008 - 11:58am — lhazlewood

Re: Instance level security on domain objects

Hi mjhugo,

JSecurity definitely handles what you require - in fact, it is one of the very core reasons why the framework was created in the first place.

JSecurity supports fine-grained (e.g. instance-level and other custom schemes) permission checking via two mechanisms

  1. Write your own Permission classes. This gives you the greatest flexibility when determining how permissions are allowed or not (see the implies method on the JavaDoc).
  2. Use Strings to represent your permissions. This is easier to use and good for most people, but foregoes type safety and flexibility.

Choose what is easiest for you. If you choose Strings, JSecurity by default interprets the Strings and converts them into WildcardPermission instances, which are extremely flexible and sufficient for most folks.

In either case, the permission needs to be saved somewhere in a way that your Realm knows how to access it. Most people create Role objects that in turn have a collection of Permissions (either org.jsecurity.authz.Permission instances or the alternate Strings). These Role objects (and their permission collection) are usually saved to a database of some sort. Your Realm would know how to retrieve these role objects based on the current user (a method argument for every method on the Realm interface).

Here is how those some of these permission checks would look in code:

Subject currentUser = SecurityUtils.getSubject();
//String example (default JSecurity config resolves to a WildcardPermission):
if ( currentUser.isPermitted( "book:123456:access" ) ) {
//allow the current user to 'access' the book with id '123456'
}
//Permission class example:
Permission perm = new my.com.domain.security.BookPermission( 123456, "access" );
if ( currentUser.isPermitted( perm ) ) {
//allow the current user to "access" book with id 123456;
}

The 2nd example relies on the BookPermission's implies method to help the Realm determine if the current user is permitted or not.

Also check out the Quickstart documentation (work in progress) for more examples.

Please feel free to ask with any more questions - we're glad to help!

Cheers,

Les