Group and acl on Spring Security

spring spring-security acl roles

11,429

Solution 1

Check Spring Security 3.0, you might be able to avoid using ACL at all by using the Spring Expression Language.

For instance, for editing a forum, you would have a method secured like this:

@PreAuthorize("hasRole('ROLE_FORUM_MANAGER') and hasPermission(#forum,'update'))
public void updateForum(Forum forum) {
    //some implementation
}

You would then implement the hasPermission method in a custom permission evaluator, like:

public class ForumPermissionEvaluator implements PermissionEvaluator {

    public boolean hasPermission(Authentication authentication,
            Object domainObject, Object permission) {
        //implement
    }

    public boolean hasPermission(Authentication authentication, 
            Serializable targetId, String targetType, Object permission) {
        //implement
    }
}

Finally, wire it up together in the application config:

<beans:bean id="expressionHandler"
    class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
  <beans:property name="permissionEvaluator" ref="permissionEvaluator"/>
</beans:bean>

<beans:bean id="permissionEvaluator"
    class="x.y.z.ForumPermissionEvaluator" />

Solution 2

I would just use your Groups like Roles. I've found the Spring ACL implementation to be pretty unwieldy and for the most part unusable. Just assign users to "groups" (Roles in all actuality) and check them as you would normal role based authorization.

Solution 3

I did something similar 'manually': i.e. I had my own code to determine which instances could be edited/deleted by a specific user and only relied on Spring security to ensure they had the right role to access the functionality and to provide role/authentication information for the current user.

So in my code I determined the current principal (our own User class) and based on that I decided what rights this user had on a specific instance.

public static User getCurrentUser() {
    User user = null;
    Authentication auth = SecurityContextHolder.getContext().getAuthentication();
    if (auth != null) {
        Object principal = auth.getPrincipal();
        if (principal instanceof User) {
            user = (User)principal;
        }
    }
    return user;
}

11,429

Author by

Jerome Cance

Father, diver, technology enthousiast and Product Manager @CodinGame

Updated on June 09, 2022

Comments

Jerome Cance almost 2 years

I want to use Spring Security to manage user, group and permissions.

I want to use ACL to secure my domain objects but I can't find a way to assign a group to an acl.

For example: I've got users and groups. Each group can have the following securities: - manage forums (can be a role like ROLE_FORUM_MANAGER) - edit a specific forum (acl on the specific forum).

Moreover, Groups are defined by users which have role ROLE_PERMISSION_MANAGER. BUT all groups defined by this user can only be edited and managed by this user. So group are attached to a user. Exactly, imagine that user creates a google group: this user can manage right permission groups only for the group he has created. And so he can create group to manage specific forum of its own google group.

How can I do it?

I read the spring security docs and the following tutorials (so please don't send me to these links): http://grzegorzborkowski.blogspot.com/2008/10/spring-security-acl-very-basic-tutorial.html http://blog.denksoft.com/?page_id=20
Jerome Cance over 14 years

But I don't understand how you apply an acl to a group in your case ?
Fried Hoeben over 14 years

I don't really use an acl, but group and user are both entities and have a (bi-directional) relation (managed by hibernate). To determine whether the user can perform special actions on a group I check whether the current principal is a moderator of that group (i.e. the group is contained in the 'moderates' collection of the user). So the list of moderators of each group is basically the 'ACL' for that group and that is managed in the database, not in the spring security config.
Jerome Cance over 14 years

So I can dynamically create an authority like "GROUP_15" and after it, add to the forum 75 the acl with GrantedAuthoritySid("GROUP_15"). If I can do that, It's good for me. But I need to create all roles and permissions dynamically.
Jerome Cance over 14 years

yes I've seen it before, but as spring security 3 is not an official release, I would not use it, but I think I will wait a little to use it.
Dave almost 14 years

To do this using methods arguments such as "#forum" you have to have debug info left in your production JARs....probably not a good idea.
Gandalf over 13 years

You could do that, but not with the Spring Annotations, at least out of the box. The "ROLE" you use in the annotation is hardcoded and not dynamic. I would suggest writing your own MethodInterceptor and going from their - it's a simple interface and doesn't take much code.
Gene Golovchinsky almost 13 years

In the bean wire-up, should the last element be ForumPermissionEvaluator rather than GroupPermissionEvaluator? Another question: if you wanted to have more than one PermissionEvaluator, how would that be wired up, since there is only one expressionHandler?
fvisticot almost 12 years

@HDave: What is the impact to have debug information inside production jar ? is it performance issues ?
Dave almost 12 years

@user316994 - To make it more difficult to reverse compile.