I am new in ss3,and I have read its reference,also I read the spring security book.
However I do not find anything about the role-permission.
For example,here is the config for form-based authentication.
<http auto-config='true'>
<intercept-url pattern="/user/add/**" access="hasRole('USER_ADMIN')"/>
<intercept-url pattern="/user/delete/**" access="hasRole('USER_ADMIN')"/>
<intercept-url pattern="/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login login-page='/login.jsp'/>
</http>
I want to control the user operation(add/delete):
<intercept-url pattern="/user/add/**" access="hasRole('USER_ADMIN')"/>
<intercept-url pattern="/user/delete/**" access="hasRole('USER_ADMIN')"/>
I define the role of ‘USER_ADMIN’,but this is not enough,since I want to differ the user who have ‘add’ permission from user who have ‘delete’ permission.
Maybe I can add more roles like ‘user_admin_add’ and ‘user_admin_delete’.
But I do not think this is a good idea since the ‘add’ or ‘delete’ are permissions,not roles.
How to make it?
Also,it seems that all the roles should be configed to the xml file,I wonder if I can add new roles and permissions dynamically(in the administrator page)?
Think of roles as a privileges. And granulate them as much as you need. Another thing is that maybe you should make a more RESTFul implementation. But this is another thread.
For example, your “delete” could be a “DELETE” HTTP method. Then you could be:
and a
curl -X DELETE -u login:password 'http://example.com/users/1'would delete the
userwith id1.By a RESTFul, since uris are either identifiers or actions, there is no use in add roles (privileges) dinamically. Since those roles are meant to be used against a new resource that should contain the xml file.
I’m afraid you cannot do this, unless you use
**wildcards. Which in my opinion if used uncarefully can lead to troubles.