Skip to content

SEC-2616: PermissionEvaluator chain-of-responsibility implementation #2833

Open
@spring-projects-issues

Description

@spring-projects-issues

Christopher Smith (Migrated from SEC-2616) said:

I'm building an application where the domain security policy is built up from a number of independent rules (e.g., user A can give user B temporary permission to upload files to user A's account: hasPermission(owner, 'upload')), and it seems that these rules should be assembled in a Chain of Responsibility, similar to chaining logic present elsewhere in Spring Security. As I understand the architecture, the system expects exactly one PermissionEvaluator to be present, in contrast with the way that MessageConverters register for particular pairs of classes.

Would it be appropriate to add a PermissionEvaluatorChain implementation that ran through a series of permit/deny/pass rules to the main Spring Security distribution? If so, would directly adding support for building and configuring rule-based permission evaluators fit with the plans for upcoming versions (4.1 or so)?

Metadata

Metadata

Assignees

No one assigned

    Labels

    in: aclAn issue in spring-security-acltype: enhancementA general enhancementtype: jiraAn issue that was migrated from JIRA

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions