SEC-2616: PermissionEvaluator chain-of-responsibility implementation

[spring-projects-issues]

Christopher Smith (Migrated from SEC-2616) said:

I'm building an application where the domain security policy is built up from a number of independent rules (e.g., user A can give user B temporary permission to upload files to user A's account: hasPermission(owner, 'upload')), and it seems that these rules should be assembled in a Chain of Responsibility, similar to chaining logic present elsewhere in Spring Security. As I understand the architecture, the system expects exactly one PermissionEvaluator to be present, in contrast with the way that MessageConverters register for particular pairs of classes.

Would it be appropriate to add a PermissionEvaluatorChain implementation that ran through a series of permit/deny/pass rules to the main Spring Security distribution? If so, would directly adding support for building and configuring rule-based permission evaluators fit with the plans for upcoming versions (4.1 or so)?

[spring-projects-issues]

Rob Winch said:

Right now we are more interested in providing ACL integration with Spring Data so that the access decision is made in the query (this makes things like paging possible). That said, it is pretty easy to implement something like this in your own PerissionEvaluator so we are unlikely to come back to this until after the Spring Data integration to determine if there is a need for it