Menu
I'm designing a system that has a lot of requirements around user management/permissions, so I decided to use Spring Security ACL to manage the permissions at the Domain Objects level.
Although, using ACLs to maintain the relations between Users and Entities force us to rely on that to present the data on the UI.
The PostFilter solution that is provided by Spring Security does a good job filtering the objects that a User can/cannot see but it has a big performance issue when we're dealing with an entity that has hundreds/thousands of entries, because we need to load everything from the database and then discard the objects that user isn't allowed to "see".
That problem is described here - SEC-2409 - but it'll take some time until the feature is available. So, I'm trying to find a workaround to use Spring Security ACL but avoid the performance issue.
I thought about implementing some code to retrieve the Objects that a User can access (after the authentication process) and keep that information available to be used on every request to allow the developers to use that info to perform the queries and not relying on the PostFilter.
In order to implement that, I'm trying to find a way to retrieve the list of permissions for a given principal/granted authority but I'm not able to find a way to do that with the available AclService implementations.
Example: aclService.getObjectIdentityList(<sid>,<acl_class>)
Note: The method should use the inheritance structure and include all the ObjectIdentities that are inherited from a parent entry
Any suggestion to get the data or another approach to solve this problem?
UPDATE
I already found a way to retrieve the List of objects that a User can access.
List<ObjectIdentity> childObjects = aclService.findChildren(objectIdentity);
Map<ObjectIdentity, Acl> result = aclService.readAclsById(childObjects, sids);
And this approach work for us, because we just have a few entities which the access is controlled by ACLs, so we can construct the list of ObjectsIdentities that a User has access.
Although, the Map that is being return, is returning all the ACLs for the ObjectIdentities that are being passed and then I need to check the if the user has access to each ObjectIdentity that is being returned.
Do you have an easy way to do this or to simplify all of this logic?
926
There are two types of ACLs: Filesystem ACLs━filter access to files and/or directories. Filesystem ACLs tell operating systems which users can access the system, and what privileges the users are allowed. Networking ACLs━filter access to the network.
With ACLs you can grant either read-only access, or read-write access on a directory or file to specific users.
An access control list (ACL) is a list of rules that specifies which users or systems are granted or denied access to a particular object or system resource. Access control lists are also installed in routers or switches, where they act as filters, managing which traffic can access the network.
ACLs or Access Control Lists are the process by which ServiceNow provides granular security for its data and can be applied to individual records, as well as fields within those records.
The current approach to handling larger data sets is to update your query to include the currently logged in user within your query. For example, you can use Spring Security and Spring Data integration to update your query to refer to the current user:
@Query("select d from MyDomain d where d.owner = #{principal.name}")
Obviously this is not ideal because you need to manage the permissions manually. Once we resolve SEC-2409 Spring can do a lot of the heavy lifting for you automatically.
142
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
