Spring Security with dynamic roles management

Charles Morin Source

I am currently migrating from Struts1/EJB3 to Spring MVC 4.0.4/EJB3. Application server is JBoss 4.2.3 (JBoss 7.x in the works).

My current security roles are stored in the database (for instance: administrator, validator and officer). For each role, admins can check or uncheck features (use cases) they want members to have access to (add a new file, update a file, delete a file, etc.). I also have a "method" table in which all my "secured" features are stored (add a new file, update a file, delete a file, etc.).

My application must have a user management and a role management, so application owners (admins) can add user and roles, and also make changes to existing roles if necessary.

There is no login form. Login sequence goes like this:

  • Create an HTTP Session.
  • Gather current user ID from JCIFS.
  • Search user in Active Directory.
    • If found in AD, look for a user record in the user table.
    • If found in database, sync user details with AD (from step 4).
      • Gather roles from database and set them into user's session.
    • Redirect to application's home page.

I would like to get the benefits from Spring Security and at the same time offer the flexibility my clients are used to have with their applications.

Any hints would be much appreciated.

Thank you



comments powered by Disqus