Spring Security - How to change user roles dynamically?

Hi all,

I have a question about changing role dynamically in runtime. Suppose that we have a social network application (like Facebook) and we are using Spring security for authentication/authorization purpose.
When a person open his Homepage this person has the ADMIN role and can do everything with his Homepage. However, when he is visiting another friend's Homepage he should only have the role USER which can only do some restricted actions (he cannot delete posts in the Homepage of his friend, for example).
If we use AuthenticationManagerBuilder then we can only set one fixed role for each user.

Can anyone help me with this question?

Thank you.

Swerrgy Smith wrote:
If we use AuthenticationManagerBuilder then we can only set one fixed role for each user.

I never got into the details of Spring Security, but one of the things Spring security can do is leverage off of other security systems. In particular, it can work in conjunction with role-based access control in J2EE, and J2EE RBAC most definitely allows a user to have more than one role defined for a user.

However, I'm not sure that you really want to change security dynamically anyway. As a matter of fact, in J2EE, changes to a user's role set can only take effect by logging the user out and back in again. That's to prevent possible security issues that could be exploited while a user is transitioning roles. There is. after all, no role-modification API for J2EE security.

For something like whether or not you can edit a FaceBook page, you'd usually simply test to see if the page belonged to the user or to someone else and display the appropriate buttons. To further enhance security, you'd check again on any update requests, just to make sure no one had built a false change request.

In the case of a community system, where some assets belonged to more than one user, you could check for not only ownership (presumably the community administrator(s)), but also for community (group) membership.