I want to give the customer a ui interface so that they can make their own administration policy (i.e. They can change the right of a user, allow or disallow him to do sth). But how can I change the settings at runtime if they are predefined in xml.

Thanks,
Peng

All attributes you'd probably want to define at runtime come from interfaces (eg ObjectDefinitionSource). So you can provide a concrete implementation that uses any backend you like (XML, memory, JDBC etc). Just use <ref bean="myBean"/> instead of Strings in XML which are processed by the PropertyEditors.

If you run into difficulty, post back to the forum which bean and property you're trying to modify at runtime, and I'll be pleased take a look.

All attributes you'd probably want to define at runtime come from interfaces (eg ObjectDefinitionSource). So you can provide a concrete implementation that uses any backend you like (XML, memory, JDBC etc). Just use <ref bean="myBean"/> instead of Strings in XML which are processed by the PropertyEditors.

If you run into difficulty, post back to the forum which bean and property you're trying to modify at runtime, and I'll be pleased take a look.
Thanks, maybe I didn't state the question clearly. I mean if I make the following rule as the contact sample shows, how can I change authority of a role at runtime, e.g. ROLE_TELLER can execute method sample.contact.ContactManager.getById, but customer want to disallow him to do that by click a button on our web page

<bean id="publicContactManagerSecurity" class="net.sf.acegisecurity.intercept.method.MethodSecuri tyInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref bean="businessAccessDecisionManager"/></property>
<property name="runAsManager"><ref bean="runAsManager"/></property>
<property name="objectDefinitionSource">
<value>
sample.contact.ContactManager.delete=ROLE_SUPERVIS OR,RUN_AS_SERVER
sample.contact.ContactManager.getAllByOwner=CONTAC T_OWNED_BY_CURRENT_USER,RUN_AS_SERVER
sample.contact.ContactManager.save=CONTACT_OWNED_B Y_CURRENT_USER,RUN_AS_SERVER
sample.contact.ContactManager.getById=ROLE_TELLER, RUN_AS_SERVER
</value>
</property>
</bean>

As I said in my orignal post, instead of defining the MethodSecurityInterceptor.ObjectDefinitionSource property via Spring XML, you'd have a <ref bean="myObjectDefinitionSource"/>. This is the same as the included "attributes sample" applicationContext.xml, which uses <ref bean> for referring to the MethodDefinitionAttributes bean.

Your MyObjectDefinitionSource would implement MethodDefinitionSource. This interface provides the necessary getters for the MethodSecurityInterceptor to determine the configuration attributes that apply to a give method signature.

Your MyObjectDefinitionSource would probably front a database which stores the method name pattern against the allowed GrantedAuthoritys.

Hope this helps.