I have read about Spring ACL but it does not seem to be very competent. For example:
What are you using for ACL? Is it clever to have the ACL so decoupled from the domain model?
Spring Security Access Control List is a Spring component which supports Domain Object Security. Simply put, Spring ACL helps in defining permissions for specific user/role on a single domain object – instead of across the board, at the typical per-operation level.
Spring Security is probably the best choice for your cases. It became the de-facto choice in implementing the application-level security for Spring applications. Spring Security, however, doesn't automatically secure your application. It's not a kind of magic that guarantees a vulnerability-free app.
Method-level security is implemented by placing the @PreAuthorize annotation on controller methods (actually one of a set of annotations available, but the most commonly used). This annotation contains a Spring Expression Language (SpEL) snippet that is assessed to determine if the request should be authenticated.
We attempted to use the Spring ACL model and found it unwieldy. We ended up rolling our own, much simpler (but also less generic), implementation and then writing the Spring Security pieces (accessDecisionManagers, Voters, Interceptors) to handle our schema. Hope that helps.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With