Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Group and acl on Spring Security

I want to use Spring Security to manage user, group and permissions.

I want to use ACL to secure my domain objects but I can't find a way to assign a group to an acl.

For example: I've got users and groups. Each group can have the following securities: - manage forums (can be a role like ROLE_FORUM_MANAGER) - edit a specific forum (acl on the specific forum).

Moreover, Groups are defined by users which have role ROLE_PERMISSION_MANAGER. BUT all groups defined by this user can only be edited and managed by this user. So group are attached to a user. Exactly, imagine that user creates a google group: this user can manage right permission groups only for the group he has created. And so he can create group to manage specific forum of its own google group.

How can I do it?

I read the spring security docs and the following tutorials (so please don't send me to these links): http://grzegorzborkowski.blogspot.com/2008/10/spring-security-acl-very-basic-tutorial.html http://blog.denksoft.com/?page_id=20

like image 850
Jerome Cance Avatar asked Dec 17 '09 10:12

Jerome Cance


People also ask

What is Spring Security ACL?

Spring Security Access Control List is a Spring component which supports Domain Object Security. Simply put, Spring ACL helps in defining permissions for specific user/role on a single domain object – instead of across the board, at the typical per-operation level.

What is ACL class?

The ACLS Instructor-led course teaches the importance of preventing cardiac arrest, high-performance teams, early and continuous high-quality CPR, systems of care, recognition and intervention of cardiopulmonary arrest, post-cardiac arrest care, acute dysrhythmias, stroke, and acute coronary syndromes (ACS).

What is ACL in Java?

An Access Control List (ACL) is a data structure that guards access to resources. The java. security. acl package provides the interface to such a data structure and the sun.


1 Answers

Check Spring Security 3.0, you might be able to avoid using ACL at all by using the Spring Expression Language.

For instance, for editing a forum, you would have a method secured like this:

@PreAuthorize("hasRole('ROLE_FORUM_MANAGER') and hasPermission(#forum,'update'))
public void updateForum(Forum forum) {
    //some implementation
}

You would then implement the hasPermission method in a custom permission evaluator, like:

public class ForumPermissionEvaluator implements PermissionEvaluator {

    public boolean hasPermission(Authentication authentication,
            Object domainObject, Object permission) {
        //implement
    }

    public boolean hasPermission(Authentication authentication, 
            Serializable targetId, String targetType, Object permission) {
        //implement
    }
}

Finally, wire it up together in the application config:

<beans:bean id="expressionHandler"
    class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
  <beans:property name="permissionEvaluator" ref="permissionEvaluator"/>
</beans:bean>

<beans:bean id="permissionEvaluator"
    class="x.y.z.ForumPermissionEvaluator" />
like image 77
Michal Bachman Avatar answered Sep 22 '22 01:09

Michal Bachman