As you probably already know when reading this blog our project consists of building an image managing website based on Grails with fine grained access control. Therefore we need access control not only on role level but on object level. This means that we have to define access rights for a dynamic set of roles each with a dynamic set of users. UserA e.g. may have ReadRights on ImageA but AdminRights on ImageB and UserB may have ReadRights on ImageB but AdminRights on ImageA. In this case a role based approach needs to define a role for each combination of permission and image. Because normal role based approaches are not developed for millions of roles we needed a different approach.
As we did not have enough time to implement a whole security system by ourself we decided to look into Spring Security which we had in mind because of the acegi security plugin for grails. Spring Security has several advantages which were for us in short:
- very flexible because security access can be defined on method level
- LDAP, RemeberMe and OpenID authentication
- long history (acegi security base) and thus a hopefully stable approach
Because of the use case mentioned in the beginning of this post the basic role based approach in “normal” Spring Security was not enough. Domain object security however seemed to be exactly what we needed. Some reasons for using domain object security in our case are:
- For each domain object instance (eg picture number 23) it is possible to define an own ACL (Access Control List) which contains ACEs (Access Control Entries). This way each object instance has its own list of principals (users) which again have its own permissions (read, write, etc.)
- White and black ACEs are supported (either restrict or enhance permissions)
- Furthermore inheritance of ACLs is supported
- Performance -> “one of the main capabilities of the Spring Security ACL module is providing a high-performance way of retrieving ACLs”
The only problem seemed to be that the Acegi Security Plugin for Grails did not support domain object security and that is why we decided to integrate Spring Security the spring-way into grails. How I solved this will be mentioned in the next post.
Regards,
Phillip
Jump to other parts of this series:
Image Site Project Blog 
0 Responses to “The Decision”