Win a copy of TDD for a Shopping Website LiveProject this week in the Testing forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Paul Clapham
  • Ron McLeod
  • Jeanne Boyarsky
  • Tim Cooke
Sheriffs:
  • Liutauras Vilda
  • paul wheaton
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Frits Walraven
Bartenders:
  • Piet Souris
  • Himai Minh

Spring Security - How to change user roles dynamically?

 
Ranch Hand
Posts: 96
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi all,

I have a question about changing role dynamically in runtime. Suppose that we have a social network application (like Facebook) and we are using Spring security for authentication/authorization purpose.
When a person open his Homepage this person has the ADMIN role and can do everything with his Homepage. However, when he is visiting another friend's Homepage he should only have the role USER which can only do some restricted actions (he cannot delete posts in the Homepage of his friend, for example).
If we use AuthenticationManagerBuilder then we can only set one fixed role for each user.

Can anyone help me with this question?

Thank you.
 
Saloon Keeper
Posts: 25461
180
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Swerrgy Smith wrote:
If we use AuthenticationManagerBuilder then we can only set one fixed role for each user.



I never got into the details of Spring Security, but one of the things Spring security can do is leverage off of other security systems. In particular, it can work in conjunction with role-based access control in J2EE, and J2EE RBAC most definitely allows a user to have more than one role defined for a user.

However, I'm not sure that you really want to change security dynamically anyway. As a matter of fact, in J2EE, changes to a user's role set can only take effect by logging the user out and back in again. That's to prevent possible security issues that could be exploited while a user is transitioning roles. There is. after all, no role-modification API for J2EE security.

For something like whether or not you can edit a FaceBook page, you'd usually simply test to see if the page belonged to the user or to someone else and display the appropriate buttons. To further enhance security, you'd check again on any update requests, just to make sure no one had built a false change request.

In the case of a community system, where some assets belonged to more than one user, you could check for not only ownership (presumably the community administrator(s)), but also for community (group) membership.
 
We don't have time for this. We've gotta save the moon! Or check this out:
free, earth-friendly heat - a kickstarter for putting coin in your pocket while saving the earth
https://coderanch.com/t/751654/free-earth-friendly-heat-kickstarter
reply
    Bookmark Topic Watch Topic
  • New Topic