Spring Security one role different permissions

Question

I am using Spring-Security in my project. I have a question about it because I have 3 roles in my IS. User, manager, admin. In my system is many rooms, which every room have one manager. But manager can manage only his own room. What is the best way for this? Now I have only basic security manager can manage all rooms. But this is correct only for administrator. My question are what is best and fastest way? (Because this solution seems to be little bit huge)

use role and permissions in controller

@PreAuthorize("hasRole('ROLE_FORUM_MANAGER') and hasPermission(#forum,'update'))
and domain ACL

and Domain ACLs

http://docs.spring.io/spring-security/site/docs/3.1.x/reference/domain-acls.html

or something else?

I am asking for purpose easiest and fastest way.

Answer 1

This is the most usual case for using the ACLs based solution, because the permission can only be determined depending on the domain object being used.

To do this in Acls, start by creating an Acl for each room. Then each user as a security identity on type principal in the SID table. Then grant to each user access to it's room by creating an ACE (access control entry) linking the room ACL to the users SID.

Role based authentication (RBAC) should not be applicable here, as it does not allow to give fine grained permissions dependent on the relation between the user and a domain object.

Its possible to combine RBAC hasRole with Acl hasPermission(#forum,'update') but since we will already use Acls, it's better to use only Acls in order to push the permission access to the data only.

If later we change ideas about who accesses a given room there is not code impact, only security reference data impact.