I am not a newbie to Spring 4, but I am new to Spring Security 4 ACL. I just implemented Spring Security 4 on my MVC web-app which are all back-end web-services. A link to what I did is posted here:
http://stackoverflow.com/questions/33787085/spring-security-4-with-third-party-authentication-token
And this added security to my URL's that only users with a certain role can request a URL. This is great! We took the SiteMinder example, and instead of passing back a username, we passback a token in the request header. We make a call to OpenAM passing in this token and we get back a username. We use Hibernate Authentication to get the user info from our database, we get the roles for that user and that makes UserDetails for us, and in that way, we have a SecurityContext for this authenticated user.
But now I am taking on a new challenge in the same MVC web-app, that is I want to add ACL security to my objects. I have already done a ton of research with more to come, and I have a few questions.
It seems I can apply security (create and/or retrieve and/or delete and/or updated and/or etc) with the ACL tables. I want to know if it is possible to apply security like this:
userA SomeCarObject has permissions (create,read,update)
userB SomeCarObject has permissions (read)
roleA SomeCarObject has permissions (update)
roleB SomeCarObject has permissions (delete)
So, can BOTH a user AND role both have different permissions to an object?
We have three different object types: Cars, Animals, Flowers And we want to use ACL to assign both users AND roles to have different permissions for each of these object types.
Can this be done with ACL in Spring Security 4? Are there any good examples out there that you know of? Or, do we have to have all user permissions? So if we have a role with 3 users, then we need to have 3 entries in the acl table, one for each user? That begs the question ... if a user changes a role, then we would have to re-evaluate their permissions, and we might have to add or delete records from the ACL tables?
I am also looking at how Permissions work. We currently use a bitmask in our old system to keep track of permissions, so we have things like recursiveRead (1), read (2), write(4), delete(8), create(16), upload(32), close(64), etc. It seems like we can have 32 bits of permission which works great for us.
So, I am looking at how we define these permissions in ACL.
As I get more information, I will certainly post it here. Thanks!
So, can BOTH a user AND role both have different permissions to an object?
Yes, there is thing in Spring Security called Sid - security identity, which can be an authority (role) or a principal (user).
Assuming that you use a database schema similar to the one in the reference doc, your acl_sid table should look something like:
+----+-----------+-------+
| id | principal | sid |
+----+-----------+-------+
| 1 | true | userA |
| 2 | true | userB |
| 3 | false | roleB |
| 4 | false | roleB |
+----+-----------+-------+
Then you use the id from this table when adding entries in the ACL.
That begs the question ... if a user changes a role, then we would have to re-evaluate their permissions, and we might have to add or delete records from the ACL tables?
That should not be necessary, but be aware of caches. If you add/delete records in the ACL tables, remember to clear AclCache if you use one.
I am also looking at how Permissions work.
The default permissions are defined in BasePermission class and use the bitmask pattern. Note however, that Spring Security ACL implementation does not handle multiple permissions on same ACL entry; that means you have to add one entry for create, one for read, and so on.