denying access for multiple users of same role in spring security

Question

I\'ve run into a such situation: my application has several roles(administrator, moderator, user). Moderator and User can edit some forms. All permisions are ok. But when I\'m l

Answer 1

It looks like you want take into account actual domain object for your security rule. Normal SpringSecurity setup with users and roles can add security rules like this: who (athenticated user with some role) may access to some URL / method invocation. If you want to be able use enhanced rules like this: who (athenticated user with some role) may access to some URL / method invocation and what domain objects he can use then you need to use ACL feature.

EDIT. But if you need just one security rule like this then set up ACL may be an overkill. You can try enhance your actual SpringSecurity setup by custom web security expression:

<intercept-url pattern="/moderator/**" access="hasRole('moderatorViewPermission') and userIsAuthor()" />

Where your userIsAuthor() method will:

• extract id of the object from the URL (I suppose something like /moderator/item/56)
• check if current user is an author of an item id = 56.