Description
Christopher Smith (Migrated from SEC-2616) said:
I'm building an application where the domain security policy is built up from a number of independent rules (e.g., user A can give user B temporary permission to upload files to user A's account: hasPermission(owner, 'upload')
), and it seems that these rules should be assembled in a Chain of Responsibility, similar to chaining logic present elsewhere in Spring Security. As I understand the architecture, the system expects exactly one PermissionEvaluator
to be present, in contrast with the way that MessageConverter
s register for particular pairs of classes.
Would it be appropriate to add a PermissionEvaluatorChain
implementation that ran through a series of permit/deny/pass rules to the main Spring Security distribution? If so, would directly adding support for building and configuring rule-based permission evaluators fit with the plans for upcoming versions (4.1 or so)?