How to use Spring Security ACL when my domain identifiers are of String type?

Question

I faced with strange and unexpected situation with Spring Security ACL when tried to create ACL using MutableAclService.createAcl(ObjectIdentity objectIdentity).

The matter is that ObjectIdentity uses Serializable type for identifiers. At the same time my domains use String type for this purpose. Ids are generated in such way:

String id = UUID.randomUUID().toString();

And then I try to add ACL using the following structure:

ObjectIdentity identity = new ObjectIdentityImpl(clazz, id);
aclService.createAcl(identity);

After that I get the following exception:

java.lang.NumberFormatException: For input string: "ad169805-a2d1-4324-ba11-c98cc679e594"

I found that Spring Security ACL uses Long type for identifiers.

So, the questions are:

1. What are the best practices in such cases (do I need to use, for example, hashcode of my object as an identifier, or smth else)?
2. Why Serializable is mentioned everywhere, but in fact it must be long?

P.S. And the SQL data types for identifiers are also numbers - bigserial.

Answer 1

It's been over three years but i will leave this for anyone still struggling with this one:

As of 2017-2018 (especially with from this commit https://github.com/spring-projects/spring-security/commit/6decf1c8ef8e31b0d9de9a2f2b364ce682d8b166#diff-bdb889847e56650fc7c52f9de584ba22 and on) Spring security ACL started implementing classes to solve this problem.

I am currently using Spring Security ACL 5.2.2.RELEASE which narrows down the solution of this problem to 2 simple configurations modifications:

  @Bean
    public LookupStrategy lookupStrategy() {
        BasicLookupStrategy basicLookupStrategy = new BasicLookupStrategy(
                dataSource,
                aclCache(),
                aclAuthorizationStrategy(),
                new ConsoleAuditLogger()
        );
        basicLookupStrategy.setAclClassIdSupported(true); // <--- this line
        return basicLookupStrategy;
    }

    @Bean
    public JdbcMutableAclService aclService() {
        JdbcMutableAclService jdbcMutableAclService = new JdbcMutableAclService(dataSource,lookupStrategy(),aclCache());
        jdbcMutableAclService.setAclClassIdSupported(true); //<-- And this line.
        return jdbcMutableAclService;
    }

When using the above configuration the spring acl assumes you have an extra field in your table "acl_class" called "class_id_type" which holds the information of what type is your entity's ID. For example my PostgreSQL definition for this table is as follows:

create table if not exists acl_class(
    id bigserial not null primary key,
    class varchar(100) not null,
    class_id_type varchar(100),
    constraint unique_uk_2 unique(class)
);