REST security configuration improvement

As per request .....

==============On Thu, May 31, 2012 at 3:07 PM, ftringali wrote:
Hi everybody,

I spent a day trying to setup REST security configuration (rest.properties)
in a way that allows free access of a ROLE_X to workspace "abc" locking down
others.

Imho, securing the service by Ant patterns without an "ordered" list of
rules is too difficult.

I didn't find a way to satisfy my requirement in such a situation, so I did
some little changes to trunk code (I'll send diff and .java files if
necessary): TreeSet -LinkedHashSet and so on.

Now, via rest.properties I could take advantage of all capabilities of
Spring Security....

/rest;GET=ROLE_ADMINISTRATOR,ROLE_X
/rest/workspaces*;GET=ROLE_ADMINISTRATOR,ROLE_X
/rest/workspaces/abc*;GET,POST,PUT,DELETE=ROLE_ADMINISTRATOR,ROLE_X
/rest/workspaces/abc/**;GET,POST,PUT,DELETE=ROLE_ADMINISTRATOR,ROLE_X
/**;GET,POST,DELETE,PUT=ROLE_ADMINISTRATOR

Before, rules were returned by "natural ordering" and the last (/**) was
always read as first matching rule, allowing only rules like the following
(note that GET method is not in the last line)

/rest/workspaces/topp*;GET=ROLE_ADMINISTRATOR
/rest/workspaces/topp/**;GET=ROLE_ADMINISTRATOR
/**;POST,DELETE,PUT=ROLE_ADMINISTRATOR

Please let me know your opinions

==============On 2012/5/31 Andrea Aime wrote:
The approach suggested seems to work.

In general I don't like rule systems that work based on rule order
(a-la iptables)
when it's also possible to apply a specificify approach, which does not require ordering instead: it's the CSS approach, where the most specific rule applies regardless of the order.

That said, don't know if it's possible to bend spring to use a CSS-like approach, and how effort it would be.

It would be nice if you could provide a patch and attach it to a ticket in jira.