I am using the new Spring Security 3.1 and have a few questions to Spring Security ACL.
So let's say I have an object and want to define an ACL for it. I create an ACL Entry and want to asign it to a group of users; not a role (GrantedAuthoritySid
), not one user (PrincipalSid
), but a group of users. I have researched everywhere for an example but was unable to find any. Can you please point me to an example or the class that would help me in this scenario?
So now I want to create a second object that is related to the first object (it should apply for the same users).
This could be a status update for the first object for example. My GrantedAuthority
or Principal
has a different mask of permisions for the second object.
Also the first object has 2 GrantedAuthorities
(2 ACLEntries
), and the status update has just one. If I use ACL inheritance the permision sets for the first object do not match the permision set for the second.
My question is how can I model this so that the GrantedAuthorities
for the two objects are automatically kept consistent while retaining different permision masks. One idea is to use a composite pattern to link the GrantedAuthority
of the second object on the GrantedAuthority
of the first object (instead of linking it to users).
An ACL has a owner. What is the owner for? What role does it play for the ACL or for the ACL entries?
It's kind of complicated. I reverse engineered the Spring source code to understand the principle and it took me a lot of time. I can't exactly tell you how I implemented it (because it's very specific for the project I work on) but will try to give you a starting point.
What I did was:
org.springframework.security.acls.sid.Sid
. This Sid
references not an authority
or user
but a kind of groupobject which has an id and references two different objects. To use this groupobject as an Sid
you have to create an ACL_Sid
-record with the id
of the object as ACL_sid.sid
. ACL_sid.principal
has to be an integer other than 0 or 1 which has to be checked for in a test in the custom LookupStrategy
(see below and the Spring sourcecode).org.springframework.security.acls.sid.SidRetrievalStrategyImpl
to retrieve the custom Sid
's from the database.org.springframework.security.acls.jdbc.LookupStrategy
. I copied an existing implementation (because the class was final) and modified it for my needs.Look at the Spring source code and see how it's done.