This how-to is targeted to Rave committers/contributors who have created a completely new model object in Rave and want to implement permission security on it. For third-party developers that are customizing Rave and are interested in overriding the default ModelPermissionEvaluator for an existing Rave model, see this

1) Create a new Default[ModelName]PermissionEvaluator class in org.apache.rave.portal.security.impl under rave-core.

(a) it should extend the AbstractModelPermissionEvaluator<[ModelName]>

(b) view the DefaultPagePermissionEvaluator class in the same package for an example to follow

(c) override the getType() and both hasPermission() signatures. Ensure you follow the same trustedDomainObject pattern by looking up the entity from the repository if you are not guaranteed it to be trusted.

(d) make sure the class is marked @Component so it is picked up by Spring's component scanner. This will ensure it gets added to the RavePermissionEvaluator class on startup.

2) Annotate the appropriate Service layer interface methods in org.apache.rave.portal.service with the permission security expression language functions. You can use PageService as a good example of using both PreAuthorize and PostAuthorize, and also for situations where you need to use a RaveSecurityContext object to check permissions against an object that is different from the one being returned in the function. Note that the annotations should not contain any security-specific business logic. The business logic should be implemented in the ModelPermissionEvaluator implementations so that it can be overridden by third-parties.

Click here for more information on the Spring EL-based security functions.