Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Could someone explain Spring Security BasePermission.Create?

Tags:

java

security

spring

spring-security

I am working on a project that involves Spring Security ACL and I came across the create permission BasePermission.CREATE. Would someone please explain how this is supposed to work or what it allows someone to do?

It is my understanding that each object has an acl, and each acl has many ace's, and each ace has an sid and a permission. How can you grant permission on an object to create it, if it must be created in order to attach the acl to it?

like image 631
Matthew Sowders Avatar asked Apr 29 '10 00:04

Matthew Sowders

Video Answer

1 Answers

Spring security grants permissions on domain objects indirectly via the ObjectIdentity interface.

As you mention, by far the usual case is that you create or obtain the domain object first, and then construct a ObjectIdentityImpl for the domain object:

MyDomainObject secured = new MyDomainObject();
ObjectIdentity securedIdentity = new ObjectIdentityImpl(secured);

You then use the ObjectIdentity instance to retrieve the ACL using the spring security framework.

However, this is not the only way to use object identity. You can pass a reference to objectIdentity that is not the actual business object, but has some means of identifying it, if it were created.

For example, imagine we wanted to secure files. We could create ObjectItentity with a java.io.File instance that is being secured. The File object that is in the identity is only a reference to the file - it no the actual file - the file may not even exist, yet we have an ObjectIdentity that we can then reason about security and fetch ACLs for.

This pattern can be applied to any kind of domain object. Create an DomainObjectPrototype implementation that describes the domain object in terms of the domain features needed to secure it, but doesn't actually need a reference to the domain object. YOu can think of this as the details needed for some service to actually create that domain object.

PS: let me confess that I've never used spring security, but the design pattern seems pretty clear to me after looking at an example.

EDIT: I've updated this to hopefully make it clearer - it's not necessary to create implementations of ObjectIdentity as I originaly wrote.

like image 53
mdma Avatar answered Nov 14 '22 23:11

mdma
Sign in to Comment

Related questions

Why InputStream and OutputStream implement Closeable and Socket doesn't?
Is it possible to bulk delete from a many-many association with HQL?
another java.lang.ClassNotFoundException in ant's junit task
Does Terracotta make JMS an unneeded layer?
Call Scala code from Java?
ORA-01000: maximum open cursors exceededwhen using Spring SimpleJDBCCall
Java .properties files as strongly typed classes
Java: How to prevent 'systemId' in EntityResolver#resolveEntity(String publicId, String systemId) from being absolutized to current working directory
remote debugging a jnlp application with eclipse
Android SMS API
Impact Analysis using Eclipse for Java application with framework code
JavaCompiler from JDK 1.6: how to write class bytes directly to byte[] array?
Dynamic instance creation without generics
Updating Swing component from another thread with invokeLater or SwingWorker
Introductory Computer Science assignments [closed]
How would you design a twitter like message system, how to design the messaging system? [closed]
Where to get com.sun.j3d classes
How to refresh external Jars in Eclipse project (Java)?
Java Applet not caching
Covariance and Contravariance inference in C# 4.0

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!