Spring Security
  1. Spring Security
  2. SEC-994

Consider adding LogicalBased AccessDecisionManager implementation

    Details

    • Type: New Feature New Feature
    • Status: Closed
    • Priority: Major Major
    • Resolution: Won't Fix
    • Affects Version/s: None
    • Fix Version/s: 3.0.0 M1
    • Component/s: Core
    • Labels:
      None

      Description

      Please see

      http://forum.springframework.org/showthread.php?t=60966

      for an explanation of what I'm proposing.

      I saw Ben's ADM-based suggestion in

      http://forum.springframework.org/showthread.php?t=13230

      but I think it's fair to say that treating BRACE_LEFT (and probably even the connectives like CONDITION_AND) isn't especially "natural"; the proposal clearly accommodates the way ConfigAttributeDefinition and ConfigAttributes currently works. What I'd propose is still kludgy, but at least it hides that kludginess from the app developer. The idea is that you could have an intercept-url like this:

      <intercept-url pattern="/ordertranscripts.do" access="ROLE_ADMIN || (ROLE_STUDENT && IS_AUTHENTICATED_FULLY)"/>

      (If the AND is too ugly there we could do something else.) The access attribute would enter LogicalBased as a single ConfigAttribute, and then LogicalBased would parse that into a logical expression. The logical atoms of that expression (such as ROLE_STUDENT) would be wrapped with a new ConfigAttribute and that in turn with a new ConfigAttributeDefinition, and then the CAD would be passed to the voters as usual. After the various voters are done evaluating the atoms, we could evaluate the logical expression with a three-valued logic (true, don't care, false) and either grant or deny accordingly. ("Don't care" corresponds to abstain.)

      I'm attaching a proof of concept. It's entirely hardcoded (i.e. no parser) but it shows that the concept works. I'm not sure whether this proposal unacceptably abuses ConfigAttributeDefinition and ConfigAttribute but I guess I'm putting it out there to get feedback.

        Issue Links

          Activity

          Hide
          Luke Taylor added a comment -

          Thanks for the suggestion (and contribution). However, the planned support for EL-based access control should hopefully provide this kind of functionality out of the box, so I'm going to close this issue.

          Show
          Luke Taylor added a comment - Thanks for the suggestion (and contribution). However, the planned support for EL-based access control should hopefully provide this kind of functionality out of the box, so I'm going to close this issue.

            People

            • Assignee:
              Luke Taylor
              Reporter:
              Willie Wheeler
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: