What I'm after is fairly simple (conceptually):
- A way to define user Access to objects
- A mechanism for filtering access based on various conditions (relationships to parent, etc)
I'm exploring a combination of the Hibernate Filter plugin and a custom filter to accomplish this and I'm making some progress (not quite working yet) but I wonder if there's a better approach. The Hibernate Filter approach seems great because we can define these condition-based filters at the domain-level and enable them at runtime via a custom filter. Does this seem like a good approach?
Looking forward to any guidance or thoughts.
Thanks.
Spring Security provides a filter chain and lots of facilities for maintaining users, user access, authorities, with plugins for OpenID, Facebook, LDAP....
I've wondered about this before and now I'm convinced that as far as security goes, it is always best to use a well-known implementation, not roll your own. Especially in the Java EE world where things are much more complicated than they should (but that's another story).
Spring Security provides a handy tutorial, extensive documentation, and even a Grails 2.0 screencast, so there is no reason you shouldn't check it out!