In my application I have a top level entity called Organization. The relationship between User and Organization is many-to-many.
Because of this I could have the following scenario:
- UserA has role ROLE_ADMIN for OrganizationA
- UserA has role ROLE_USER for OrganizationB
I need to ensure that when UserA accesses resources for OrganizationB he is not doing it as an ADMIN. So I need an additional check that the user has the correct roles at the organization level. Is there anything built into Spring Security that allows for this? If not, does anyone know what the best way would be to about solving this?
UPDATE: A bit more information…
A User logs in and chooses which org they want to work with. That is stored in the session. Beyond that, URLs are locked down with the Secured annotation. What that means is that if UserA were to log in and select OrgA, they should be able to access /admin/user/create however, if they log in and choose OrgB they should not have access to that URL.
The long way is to add additional checks in every method where this matters. So call some service method that says “ok, you’re an admin for OrgA but not for OrgB and you’re logged in using OrgB, so deny this request”.
I’m hoping for a more grails / spring-security way of handling this.
You can probably do this by using a custom
AccessDecisionVoter. Thevotemethod will supply you with the “configuration attributes” for the resource (method or URL), which will typically be the required roles, and you can obtain the current user’s roles/authorities either directly from theAuthenticationobject, or by reading the current org and selecting the appropriate roles for the user.I’m assuming that you have some way of differentiating the user’s roles, based on the org they’ve selected.
Essentially, you’d be writing an extended version of the standard
RoleVoter, which takes the organization into account.