Tuesday, October 25, 2005

ACEGI: An Example of When to Use AffirmativeBased (instead of UnanimousBased) Voting when Controlling Access to Methods

In this example I have a simple interface, defined below, which needs role-based access control.

public interface IBean {
  Workers and Managers can get the value.
  public String getValue();
  Only Managers can set the value.
  public void setValue(String _value);
}

The access control is specified via a security interceptor like this:

  <bean id='securityInterceptor' class='...MethodSecurityInterceptor'>
    ...
    <property name='objectDefinitionSource'>
      <value>
        com.affy.IBean.getValue=ROLE_WORKER,ROLE_MANAGER
        com.affy.IBean.setValue=ROLE_MANAGER
      </value>
    </property>
</bean>

Since the the getValue method has more than one role associated with it, the type of voter used as the accessDecisionManager bean is important. If you choose UnanimousBased then the user must have both ROLE_WORKER and ROLE_MANAGER roles which is probably not what your security officer wants.

Using the AffirmativeBased voter means that the user only needs one of the roles to be able to execute the getValue method.

Post a Comment