|
[
Permalink
| « Hide
]
Michael Mayr added a comment - 19/Mar/06 05:13 PM
A prototype for supporting hierarchical role models
Hi all,
I'm currently reworking my implementation: The idea behind the new version is to wrap UserDetailsService and UserDetails so that UserDetails.getAuthorities() returns all reachable granted authorities by taking into concern the RoleHierarchy. The HierarchicalRoleVoter will be dropped. You will be able to use Acegi's standard RoleVoter and you will be able to use Acegi's Authz Taglib as they are now. So this alternative will offer the maximum of backwards compatibility. Stay tuned! More news to come soon... As promised I reworked my prototype for maximum backward compatibility. It wraps around existing UserDetails and UserDetailsService. You use Acegi's standard RoleVoter and Acegi's standard taglib as you would normally.
It is configured like this: <bean id="roleHierarchy" class="mm.hierarchicalroles.RoleHierarchyImpl" > <property name="rolePrefix"> <value>ROLE_</value> </property> <property name="roles"> <value> ROLE_UNAUTHENTICATED ROLE_AUTHENTICATED ROLE_A ROLE_B ROLE_ADMIN </value> </property> <property name="hierarchy"> <value> ROLE_A > ROLE_B ROLE_B > ROLE_AUTHENTICATED ROLE_ADMIN > ROLE_AUTHENTICATED ROLE_AUTHENTICATED > ROLE_UNAUTHENTICATED </value> </property> </bean> <bean id="userDetailsServiceWrapper" class="mm.hierarchicalroles.UserDetailsServiceWrapper" > <property name="roleHierarchy"> <ref bean="roleHierarchy"/> </property> <property name="userDetailsService"> <ref bean="userDetailsService"/> </property> </bean> I would like to hear what you think. The reworked prototype with maximum backward compatibility
Short Announcement that may be of interest for Acegi release 2.0: I will upload a production-quality implementation of hierarchical roles for Acegi including JavaDocs and JUnit tests by the end of this week. In addition to that I already implemented some other improvements like less required configuration and automatic detection of cycles in the definition of the role hierarchy. I will also write a short paragraph for the Acegi Reference Guide about hierarchical roles.
I have still some work to do on this issue. I expect it to be done in a few days.
As promised, here is the "release candidate" of my hierarchical role contribution:
Code improvements are: - reviewed and improved code - less required configuration - automatic detection of cycles in the role hierarchy definition - unit tests for everything - updated JavaDocs See the attached HierarchicalRoles-RELEASECANDIDATE1.zip for an archive of all the code including tests. I also wrote a paragraph about hierarchical roles for the Acegi Reference Guide. See the attached HierarchicalRoles.pdf for the PDF version or the attached HierarchicalRoles.odt for the OpenOffice 2.x version. I am interested to hear from you what you think about it. P. S.: Sorry, that it took longer than expected but recently my job required A LOT of attention so that I didn't find time to finish that easily (I am sure you know this problem, too). Great job, works fine "as-is" for me :-) BTW, here's the RC-compatible definition for beans:
<bean id="roleHierarchy" class="org.acegisecurity.userdetails.hierarchicalroles.RoleHierarchyImpl" > <property name="hierarchy"> <value> ROLE_ADMIN > ROLE_USER ROLE_USER > ROLE_GUEST ROLE_GUEST > IS_AUTHENTICATED_FULLY </value> </property> </bean> <bean id="daoUserDetailsServiceWrapper" class="org.acegisecurity.userdetails.hierarchicalroles.UserDetailsServiceWrapper" > <property name="roleHierarchy" ref="roleHierarchy" /> <property name="userDetailsService"> <ref local="daoUserDetailsService"/> </property> </bean> The new beans can be used with: <bean id="daoUserDetailsService" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl"> <property name="userMap"> <value> root=secret,ROLE_ADMIN guest=secret,ROLE_GUEST </value> </property> </bean> <bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider"> <property name="userDetailsService"><ref local="daoUserDetailsServiceWrapper"/></property> </bean> Well, I provide another implementation of RoleHierarchy that works with an acyclic graph. This means you can define roles with multiple inheritance such as (A > B, A > C, B > D, C > D). This can be used to group some roles together. However, be careful to graph definition that can lead to (very) complicated rules: USE WITH CARE.
Example of use: suppose you have a webapp with two modules, A and B, protected by ROLE_A and ROLE_B, both inheriting the ROLE_AUTHED role. You can now define a ROLE_ADMIN that inherits both ROLE_A and ROLE_B, and thus ROLE_AUTHED. Access rules can be reduces to: <bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor"> <property name="objectDefinitionSource"> <value> /logout.html=ROLE_AUTHED /module_a/*.html=ROLE_A /module_b/*.html=ROLE_B /admin/*.html=ROLE_ADMIN </value> ... </property> </bean> Hope this will help. Regards. Acyclic graph implementation of RoleHierarchy.
Thanks! I've added your code to the main source tree. It looks like a nice contribution. I've made some changes to convert it to use JDK 1.4 regexes since we have dropped the ORO dependency for the 2.0 release. You might want to review those (the tests still seem to pass OK).
@Jay: Thanks for finding a bug in the cycle detection of RoleHierarchyImpl. Under some circumstances the code incorrectly detected a cycle where there was none like in your (perfectly fine) example (A > B, A > C, B > D, C > D). The rest of the code was ok. In the spirit of true Test Driven Programming I added tests for your example in RoleHierachyImplTests and then fixed the bug. The fix is straight forward and very small, it only involved fixing an if-condition. See my new attachment HierarchicalRoles-RELEASECANDIDATE2.zip for the fix and the added tests. Thanks for your help.
@Luke: Awesome, thanks for committing my code on trunk :-) Could you also commit my fix for RoleHierarchyImpl and the two additional tests (testComplexRoleHierarchy() and testNoCyclesInRoleHierarchy()) in RoleHierarchyImplTests, please? To simplify your diff I wrote the fix against your JDK 1.4 regexes trunk version. See my new attachment HierarchicalRoles-RELEASECANDIDATE2.zip for the fix in RoleHierarchyImpl and the added tests in RoleHierarchyImplTests (I did not touch the other files). Thanks in advance. Cheers, Michael Ok. That's great. I've committed the latest changes (rev 2136). I'll close this issue now and people can raise more specific issues against the code as and if required.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||
 |
|
Improvement
Closed
Major
Support hierarchical roles
