This project proposes a Role Based approach to security, trying to be as hidden as possible to application developers.
A common test case is when you have different users who can access the same set of domain business objects and a policy to enforce access security is needed. For exaple, given a DummyDataObject with two properties, intValue and stringValue, you want UserA to access the DummyDataObject when intValue is 1 and UserB when intValue is 2.
Using the RBAC grammar, the user (or entity who does something) is called subject and a subject is tied to many roles. Within openutils, 1 user is contained in N groups and a group can have M roles, so you relate users to roles through groups. For our example let's map UserA to Role1 and UserB to Role2 (through 2 different groups, GroupA and GroupB, but groups are not important now).
The core of the openutils-hibernate-security is called SecurityRule. A SecurityRule defines which role can access/modify/create/delete which object (so who can do what on something). To enforce our example policy we add 2 SecurityRules, using the following notation:
Role - Bean - Property - Value - Modifier (EQUALS, NOT) - Permission (LOAD, CREATE, DELETE, MODIFY)
So:
SecurityRule 1: Role1 - DummyDataObject - intValue - 1 - EQUALS - LOAD
SecurityRule 2: Role2 - DummyDataObject - intValue - 2 - EQUALS - LOAD
With the given scheme, users with roles Role1 and Role2 can access in read-only mode the DummyDataObject instances with respectively intValue equals to 1 and 2. If you want to make Role2 access the DummyDataObjects in read-write mode, the SecurityRule 2 becomes:
Role2 - DummyDataObject - intValue - 2 - EQUALS - LOAD, MODIFY
In this case, users with Role2 won't be able to either create or delete DummyDataObjects when intValue is 2, but can load and modify them.
Let's have some more complex rules scenarios: AND and OR. Users in Role1 can only load DummyDataObjects when intValue is 1 and stringValue is 'ABC': now we need two security rules:
Role1 - DummyDataObject - intValue - 1 - EQUALS - LOAD
Role1 - DummyDataObject - stringValue - 'ABC' - EQUALS - LOAD
In this way the AND is done. What if we want to create OR rules:
Role1 - DummyDataObject - intValue - 1 - EQUALS - LOAD
Role2 - DummyDataObject - stringValue - 'ABC' - EQUALS - LOAD
and assign users both roles 1 and 2.
