26/11/13

Home About

Spring Security ACL Concepts Abstract Layers

ABSTRACT LAYERS

Search

search

TECHNOLOGY, START UP'S AND MANAGEMENT

HOME SPRING SPRING SECURITY ACL CONCEPTS

Spring Security ACL Concepts

In this post I would like to discuss about ACL concepts in Spring Security . ACL ( Access Control Lists) based security is means of providing access to particular Object using combination of User and Actions that can be performed by that User ( create, edit, update , delete) Below is overview of topics I shall cover Motivation/Use cases Schema Interfaces Annotations and Permissions Example References

Motivation/Use cases
In one of my previous article, I have demonstrated use of Spring for role based security. This works fine if you want to restrict access to urls based on particular roles user has . For example ROLE_USER provide access to all authenticated users ROLE_CUSTOMER provide access to all users who have made some purchase before ROLE_ADMIN provide access to users with admin capabilities However if you want to provide fine grained access at object level , you can use ACL based security. For example An e-commerce website CUSTOMER MANAGER Banking software CUSTOMER view CLERK MANAGER Blogging website ANONYMOUS_USER view ADMIN view, edit, delete view view , edit, delete
Follow

- view view, edit, update,delete

CUSTOMER_SERVICE - view, edit

AUTHENTICATED_USER view, edit

Follow Abstract Layers

Get every new post delivered to your Inbox. Enter your email address
sign me up

Schema

Below are the core tables, pertaining to ACL, you need to have in your database.

Pow ered by WordPress.com

abstractlayers.com/2013/04/22/spring-security-acl-concepts/

1/4

26/11/13

Spring Security ACL Concepts Abstract Layers

Interfaces
Below represents key interfaces involved in implementing ACL Based security. These needs to be configured in security-context

Annotations and Permissions

You can use combination of expression and annotation to provide method level security Example of expression is - hasPermission(#account, WRITE) Annotations which spring provides are @PreAuthorize , @PreFilter, @PostFilter, @PostAuthorize, @Secured and JSR 250 Below is snippet of code for couple of annotations 1 2 3 4 5 6 7 / / / / E x p r e s s i o ne v a l u a t e db e f o r em e t h o de x e c u t i o n .I nt h i sc a s ec h e c k si fp r i n c i p a lc a nw r i t e @ P r e A u t h o r i z e ( " h a s P e r m i s s i o n ( # a c c o u n t ,' W R I T E ' ) " ) p u b l i cB o o l e a ne d i t A c c o u n t ( A c c o u n ta c c o u n t ) ; / / / / /F i l t e r st h er e s u l t s .I nt h i sc a s eJ u s tr e t u r n sn e wa c c o u n t s @ P o s t F i l t e r ( " f i l t e r O b j e c t . i s N e w ( ) " ) p u b l i cL i s t < A c c o u n t >g e t N e w A c c o u n t s ( ) ;

Example
abstractlayers.com/2013/04/22/spring-security-acl-concepts/ 2/4

26/11/13

Spring Security ACL Concepts Abstract Layers

References
Below are some good references for further reading ACL implemented for blogging application can be found here Good conceptual overview can be found here DZone refcardz Great presentation about spring security at slideshare
About these ads

Share this: Like this:

Twitter

Facebook 1

Like
Be the first to like this.

Related Spring Security 3.1 - Concepts In "Open Source" Quick Facebook Integration using Spring social In "Open Source" Are you Innovating In "Entrepreneurship/ Start Up's"

TAGS: ACL, SECURITY, SPRING BY SANTOSH RANGARAJAN IN SPRING ON APRIL 22, 2013. JAVA HTTP SERVER TO STREAM LOGS AMAZON AWS SUMMIT 2013 MY TAKE AWAYS

2 Comments
Spring Security 3.1 Concepts Abstract Layers
APRIL 22, 2013 AT 5:34 AM REPLY

[...] my next article I shall discuss ACL components in Spring [...]

REPLY

abstractlayers.com/2013/04/22/spring-security-acl-concepts/

3/4

26/11/13
subversivepastor.com
NOVEMBER 1, 2013 AT 11:31 AM

Spring Security ACL Concepts Abstract Layers

I love your blog.. very nice colors & theme. Did you make this website yourself or did you hire someone to do it for you? Plz answer back as Im looking to create my own blog and would like to find out where u got this from. thanks a lot

Leave a Reply
Enter your comment here...

Blog at WordPress.com. / The Academica Theme.

abstractlayers.com/2013/04/22/spring-security-acl-concepts/

4/4