0

Similar to the problem mentioned as below How to implement ACL at a group level? E.g. only teachers in school A can update school A's calendar

I am trying to solve below scenario Using acl spring security

We got a scenario to share the students result to group of teachers.In this scenario when a teacher login he can see the result only if teacher have read permission on Result object.If we need to share the result to group of teachers having 10 members in the group with read permission we need to give 10 entires in ACL_Entry table .This would be complicated as entries will increase with increase in group members and increase in permissions.Is there any other way such that if i share the result to group there will only one acl entry with group having read permission on result object with which automatically the teachers should get permission to read the object.Can you also explain with example how the schema would be.

Please help

Community
  • 1
  • 1
anu
  • 31
  • 6

2 Answers2

0

Possible duplicate: spring-security-authorization-for-custom-usergroups

If you look at this question you will find this possible solution:

I am using user groups with ACL mechanism. Basically I make sure that when ACL is created for an object the owner is set. Then when another user tries to access this object the owner's groups are checked to see if there is a match.

This of course means that when user changes his groups then the object 'goes with him'.

If you don't want this behavior you can have group object's ACL as a parent acl for a secure object. Then when a user changes groups you should set the correct entries for group object ACL. This way the secure object is tied to the user group not the user himself.

Spring Security Domain Object Security (ACLs)

These are actually two other possibilities different to what is described in the question you linked.

There is also a brief conversation in the comments of the question I linked so make sure to read it if you are intrigued.

Community
  • 1
  • 1
JIMI
  • 439
  • 2
  • 8
  • Thanks for your help JIMI. I used the scenario mentioned in my answer for sorting out this . But I want to get best solution for this problem by trying out your solution.I didn't get much examples related to handling group sharing using acl. Could you share example which explains the above two scenarios for better understanding of your solutions. – anu Feb 19 '16 at 06:57
0

To sort out the above problem I used below approach. I have users and user_role table in my schema.I m using db as authenticion manager in security context.

SchoolA is already the user of my application. Whenever a teacher is added to schoolA Group .I m adding schoolA as role to the teacher along with user role.while sharing result object to the schoolA group with read permission .I m considering schoolA as a GrantedAuthoritySid instead of PrincpalSid. So principal column will be false for SchoolA sid in ACL_SID table.Whenever teacher logs in while getting the results we check whether the teacher has read permission on the result object.but as teacher has schoolA role and schoolA role is having read permission. I m able to get the result object when teacher logs in. In this way I solved my above problem.

anu
  • 31
  • 6