I’m preparing to port one Java Swing application to the web. The application is a multibusiness application, so for each business it will be at least one administrator, and this administrator can grant privileges (for each module) to the users of the business.
In other words: I have the modules Accounts, Customers and Invoices, and the permisions read and write. The business A have 3 user: John, Mike & Mary.
John is the administrator, and grants Mike read & write access to Customers and Invoices, but no access to Accounts, and grants Mary read and write access to Accounts, read access to Invoices and no access to Customers.
And my question is: is there any module/plugin to do this for Play Framework or Grails? If not, how can I do this?
For Grails, there are plugins for both Spring Security and Shiro
With Spring Security you can create roles at runtime, and add users to roles at runtime.
There’s a plugin called spring-security-ui that gives you a GUI for doing this, but I don’t think it fits your use case, as you probably don’t want John to grant access to other businesses than his own. Spring-security-ui is more of a super administrator GUI. But it should be easy to create your own user interface for granting access.
You will need to decide if you want three roles; ROLE_ADMIN, ROLE_READ and ROLE_WRITE, and add an extra check (e.g. a filter) to check that the user is trying to access its own business. Or if you want to dynamically add three roles for each business, i.e. ROLE_BUSINESS1_ADMIN, ROLE_BUSINESS2_ADMIN etc.
To add a role dynamically:
To add a role to a user:
(In the example above, the domain object are called Person and Role, but you can use any other name)
To dynamically add access rules to URLs, you need to use Requestmap Instances Stored in the Database, or you can check access programatically with
SpringSecurityUtils.ifAnyGranted(roles)I have no experience with Shiro, but I guess it can do the same things.