Geek Answers Handbook

Is Spring ACL a good implementation of ACL?

I read about Spring ACL, but it doesn't seem to be very competent. For example:

  • Cannot list all objects of type X with resolution Y
  • Unable to automatically create schemas for new deployments.

What do you use for ACL? Is it smart to have an ACL disconnected from a domain model?

+6
java spring spring-security acl
source share
3 answers

We tried to use the Spring ACL model and found it to be cumbersome. We completed our own, much simpler (but also less general) implementation, and then recorded Spring security elements (accessDecisionManagers, voters, interceptors) to process our scheme. Hope this helps.

+11
source share

Perhaps you should take a look at Apache Shiro .

From the site: Apache Shiro is a powerful and easy-to-use Java security infrastructure that performs authentication, authorization, cryptography and session management. Thanks to the easy-to-understand Shiros API, you can quickly and easily protect any application - from the smallest mobile applications to the largest web applications and enterprise applications.

Many prefer how Shiro handles permissions.

+3
source share

If you are using Hibernate, you can automatically run the acl scheme against db by adding it to persistence.xml :

 <property name="hibernate.hbm2ddl.import_files" value="/import.sql"/> <property name="hibernate.hbm2ddl.import_files_sql_extractor" value="org.hibernate.tool.hbm2ddl.MultipleLinesSqlCommandExtractor" />

and adding a schema to /resources/import.sql

You can list all objects of type X with resolution Y as follows:

 select * from acl_entry a join acl_object_identity b on a.acl_object_identity = b.id join acl_class c on b.object_id_class = c.id where class = X and mask = Y

However, the Spring Security ACL is fundamentally flawed in terms of Row security due to pagination issues. You must make Row Security in the database with views or built-in tools if your db supports them.

0
source share

More articles:


All Articles