I'm working on a legacy Grails application.
I have a couple of tables like this:
User ( id, name,enterprise_id)
Enterprise (id, name)
Asset (id,description, enterprise_id)
I want to validate that when a certain user wants to access an asset, it has the right enterprise_id (i.e That the user belongs to the same enterprise as the asset).
For example, consider:
John, a user from Microsoft, and Charles (from Oracle), only Charles should be able to access the Java Virtual Machine.
Enterprise
id,name
--------
1 Oracle
2 Microsoft
Asset
id,description,enterprise_id
----------------------------
1 Java VM 1
2 .NET 2
User
id name enterprise_id
----------------------
1 John 2
2 Charles 1
I've been reading on Spring Security, but it doesn't look that it can help me. All I see is user authentication, passwords, roles, etc (Of course, I could be wrong). These things are already secured and working OK. For the moment I'm considering filters, but can't make them work and rolling my own security (see this question), which doesn't seem right.
What should I do: is Spring Security the way to go? Or Shiro?
You could implement this with spring-security-acl (which depends on spring-security-core)
Otherwise you could implement a 2 phase approach (Authentication + Authorization) with a set of Object-level authorization filters.