Child pages
  • Using the SecurityService
Skip to end of metadata
Go to start of metadata


This explains basic usage of the Sakai SecurityService. This service is used to register new Authz (permission) groups.

Accessing the SecurityService

  • You can use Spring Framework to inject the service or use the cover
  1. Using Spring to get the service for your class (e.g. YourAppClass) (recommended)
    1. Add the SecurityService bean to the bean for YourAppClass
      <bean id="org.sakaiproject.yourapp.logic.YourAppClass"
      	<property name="securityService"
      		ref="org.sakaiproject.authz.api.SecurityService" />
    2. Add a variable and setter to YourAppClass to use the service in like so:
      private SecurityService securityService;
      public void setSecurityService(SecurityService securityService) {
      	this.securityService = securityService;
  2. Using the Component Manager to get the service
    • Note: This is not the recommended method, you should be using Spring to inject the service
    1. Use the CM cover to get the service
      import org.sakaiproject.component.cover.ComponentManager;
      import org.sakaiproject.authz.api.SecurityService;
        private SecurityService securityService;
          securityService = (SecurityService) ComponentManager.get(SecurityService.class);

Checking a user's permission (checking if a user has a certain permission) in a site

  • Note: The reference could be a reference to any entity also
  1. Use the SiteService to get a site reference
  2. Use the SecurityService to check the permission (unlock) for the userId and reference
    String siteRef = siteService.siteReference(siteId); // (1)
    if (securityService.unlock(userId, "tool.permission", siteRef)) { // (2)
    	// do something since this user has permission
    • Note: If you are using less than Sakai 2.2.x/2.3 then you have to get a User object with the UserDirectoryService instead of using a userId string

Checking if a user has global super admin permissions

  1. Use the SecurityService to check if the user is a super admin
    if (securityService.isSuperUser(userId)) {
    	// do something since this user has super admin permission
    • Note: There is also a method that checks for the current User but this method calls the UserDirectoryService so it is slower
  • No labels


  1. Advice, it helps to really read these docs! They are great! But too bad they don't pop up in the javadocs when using Eclipse, because while passing around Strings is flexible and all, using a String for a siteId and using a String for a siteRef confuses new programmers like me. While the SecurityService javadoc tag does say "The resource reference string", I figured heck, I've got the unique id for the site, what else could it be talking about.

    So, if you want to use the security service, really do get a siteRef first.

    Finally, I wish that the security service would die a horrible death, rather than just spitting out a warning that is not helpful to someone with nearly zero knowledge of the code:

    Feb 7, 2008 2:25:19 PM org.sakaiproject.authz.impl.DbAuthzGroupService$DbStorage isAllowed
    WARNING: isAllowed(): called with no realms: lock: site.upd user: 11c3002b-1033-4243-802b-69838d5abf3e

  2. The first link is not working:

    Trunk javadocs:


    Anybody know where is now so they or I can update it?