I want to implement role-based access control for each button and function in my application that can be modified onrRuntime. I’m implementing JSF 2.0, and EJB on Glassfish and currently using JSecurity with JDBCRealm to restrict access to the pages. But the problem is my client has requested runtime modification on the roles and access control, which cannot be performed with my current techniques without modifying the web.xml file and redeploy the application. I read through many post regarding Spring security. I want to check if this is possible with spring security, and whether such mechanism to control access control dynamically (can be edited at runtime) to pages + (button and fields level access) are available in spring.
I’m using JSF 2.0, glassfish 3.1, EJB 3.0, and J_Security_check for authentication.
Yes, it is possible with Spring Security. Spring Security allows runtime manipulation of Access Control List (ACL) fields through the MutableAcl interface. It allows creating, updating and deleting of access control entries (ACEs) and also provides the JdbcMutableAclService to persist these changes to the JDBC datastore.
See also:
You can see the sample application available here
Instructions to run Spring Security sample applications.
You need to have your database ready with the acl tables before you can try these samples. Here is the schema for Spring ACL tables