I'm reading about Spring Security ACL lib and I am a bit confused about some concepts. Regarding SIDs, it states to my confusion:
ACL_SID allows us to uniquely identify any principal or authority in the system ("SID" stands for "security identity"). The only columns are the ID, a textual representation of the SID, and a flag to indicate whether the textual representation refers to a prncipal name or a GrantedAuthority.
So is principal the same as role? Is GrantedAuthority an equal concept or a particular role? Does a boolean field principal = true mean that the identifier has semantical value or simply that it is a role within the system?. If so, why do you want to store SIDs that are not accounted in the system?
An ACL (Access Control List) consists of a number of entries (rules), where every entry references a sid, which is a user or a group of users to apply the entry/rule for.
If the principal field is set to true, the sid is a principal, that is a single user. The sid field then contains the username.
If the principal field is set to false, the sid is an authority, for example ROLE_ADMIN. A GrantedAuthority is basically the same as a role (a role is a kind of authority).