Announcement Announcement Module
No announcement yet.
How Does ACL Security Really Work? Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • How Does ACL Security Really Work?

    I've read several tutorials and books on Spring ACL security and am still having trouble getting my head round it. I prefer to learn fundamentals and work up from there so I was wondering if someone could actually help shed some light on the subject. Here is my take which people are free to comment on:

    It looks like one can @Secured annotate a method that hits the database in some way. This uses AOP to wrap the method in code which then uses the class and object identitiy information in the ACL tables to decide whether the application has permission. At what level does this happen? At the data source before the data gets into the application? If the answer is yes then I can see this maybe working with my ORM (hibernate)? Only if it uses the same data source? Or does it look at the method arguments and/or return type to work out what object(s) the caller is trying to get hold of and decide from that? Or does it actuall inspect local objects created in the method and compare their id and class with those in the acl_class table et al.?

  • #2
    Thinking about this a bit more, I'd like the security to be as fail safe as possible. I'd like the code to be such that developer's don't have to remember to to implement, annotate, wirte security at all with it being handled automatically through some sort of AOP and the data in the database. Does Spring ACL support this? Off the shelf? This comes back to my earlier question about what level the ACL works. All the examples I've seen require one to annotate (buiness) methods, but I'd prefer if it was handled at the JDBC interface, or at the very least some sort of point cut that operates on all objects with Dao in their class name, etc. I guess I could also declare the check on all Spring managed bean methods, but I guess that could be a potention performance issue?