Hi! Hopefully someone from you is already faced with ACL on the Ktor, unfortunately I wasn't be able to find ACL/roles control by Ktor out of the box. Some recommendations/tricks for ACL? 😄 Thx in advance 😉 PS: this old ticket on #ktor-github (https://github.com/ktorio/ktor/issues/807) I found, but maybe already exist some better way..

just use authenticate and principals. depending on the number of roles, you could create a lambda parameter for each role

Mhm...I will take a look, but I don't think so that it will be totally enough, first of all the roles are generic and I'm not predefine them on my side and the count of them not even tens but hundreds... I'm using the authenticate and principals for predefined and static things such as JWT / Basic Auth.

Do you really have 100+ possible actions for (each)/1 endpoint?

no, I think we are miss-understanding each-other, Actions = CRUD Roles = can be easily hundreds From your response I got that the solution will be more in the static way is to create the auth.princ for each a role? am i right?

Personally, I dont see a reason to put this specific logic into Ktor. Ktor provides the option to create routes staticaly, optionally with an authentication, and executes your provided action. you could create for each rule your own route (possible without overriding each), but I would ask again for the use cases. At the end, supporting/handling hundreds of different roles sounds hard. I guess, mostly the action is the same for 99% of the roles, so you could reduce them. if you need to check all roles, I would use the principial and do your actions/validation etc in your controllers But maybe I don't get it

Sorry for topic resurrection, just my two cents. Roles is a common - and hard - topic in all enterprise applications. If you check Nexus for example, there are thousands of roles, because they need fine tuning of resource access. Roles (when used as ACL) may be used as per-resource access, hence the large number. Actually, right now, I'm trying to figure out how to serve static resources with an ACL and boy, it is hard. I think I will simply cut-and-paste Ktor source code as most of the stuff is private and there is no extension mechanism (AFAIK). Please note, that authentication and authorisation are two very different topics. Ktor provides good features for authentication but nothing for authorisation. We ended up writing our own role/permission system, and put the actual Ktor routing behind a common logic that provides proper authorisation services.