Group and acl on Spring Security

Asked 17/12, 2009 at 10:57 Answered 20/12, 2009 at 12:6

I want to use Spring Security to manage user, group and permissions.

I want to use ACL to secure my domain objects but I can't find a way to assign a group to an acl.

For example: I've got users and groups. Each group can have the following securities: - manage forums (can be a role like ROLE_FORUM_MANAGER) - edit a specific forum (acl on the specific forum).

Moreover, Groups are defined by users which have role ROLE_PERMISSION_MANAGER. BUT all groups defined by this user can only be edited and managed by this user. So group are attached to a user. Exactly, imagine that user creates a google group: this user can manage right permission groups only for the group he has created. And so he can create group to manage specific forum of its own google group.

How can I do it?

I read the spring security docs and the following tutorials (so please don't send me to these links): http://grzegorzborkowski.blogspot.com/2008/10/spring-security-acl-very-basic-tutorial.html http://blog.denksoft.com/?page_id=20

Helbonnas answered 17/12, 2009 at 10:57 Comment(0)

Check Spring Security 3.0, you might be able to avoid using ACL at all by using the Spring Expression Language.

For instance, for editing a forum, you would have a method secured like this:

@PreAuthorize("hasRole('ROLE_FORUM_MANAGER') and hasPermission(#forum,'update'))
public void updateForum(Forum forum) {
    //some implementation
}

You would then implement the hasPermission method in a custom permission evaluator, like:

public class ForumPermissionEvaluator implements PermissionEvaluator {

    public boolean hasPermission(Authentication authentication,
            Object domainObject, Object permission) {
        //implement
    }

    public boolean hasPermission(Authentication authentication, 
            Serializable targetId, String targetType, Object permission) {
        //implement
    }
}

Finally, wire it up together in the application config:

<beans:bean id="expressionHandler"
    class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
  <beans:property name="permissionEvaluator" ref="permissionEvaluator"/>
</beans:bean>

<beans:bean id="permissionEvaluator"
    class="x.y.z.ForumPermissionEvaluator" />

Wende answered 20/12, 2009 at 12:6 Comment(5)

yes I've seen it before, but as spring security 3 is not an official release, I would not use it, but I think I will wait a little to use it. – Helbonnas 22/12, 2009 at 16:40

To do this using methods arguments such as "#forum" you have to have debug info left in your production JARs....probably not a good idea. – Connotation 1/6, 2010 at 1:54

In the bean wire-up, should the last element be ForumPermissionEvaluator rather than GroupPermissionEvaluator? Another question: if you wanted to have more than one PermissionEvaluator, how would that be wired up, since there is only one expressionHandler? – Novara 25/5, 2011 at 0:15

@HDave: What is the impact to have debug information inside production jar ? is it performance issues ? – Inflated 2/6, 2012 at 10:16

@user316994 - To make it more difficult to reverse compile. – Connotation 2/6, 2012 at 21:31

I would just use your Groups like Roles. I've found the Spring ACL implementation to be pretty unwieldy and for the most part unusable. Just assign users to "groups" (Roles in all actuality) and check them as you would normal role based authorization.

Locarno answered 18/12, 2009 at 16:10 Comment(2)

So I can dynamically create an authority like "GROUP_15" and after it, add to the forum 75 the acl with GrantedAuthoritySid("GROUP_15"). If I can do that, It's good for me. But I need to create all roles and permissions dynamically. – Helbonnas 18/12, 2009 at 16:39

You could do that, but not with the Spring Annotations, at least out of the box. The "ROLE" you use in the annotation is hardcoded and not dynamic. I would suggest writing your own MethodInterceptor and going from their - it's a simple interface and doesn't take much code. – Locarno 27/10, 2010 at 13:23

I did something similar 'manually': i.e. I had my own code to determine which instances could be edited/deleted by a specific user and only relied on Spring security to ensure they had the right role to access the functionality and to provide role/authentication information for the current user.

So in my code I determined the current principal (our own User class) and based on that I decided what rights this user had on a specific instance.

public static User getCurrentUser() {
    User user = null;
    Authentication auth = SecurityContextHolder.getContext().getAuthentication();
    if (auth != null) {
        Object principal = auth.getPrincipal();
        if (principal instanceof User) {
            user = (User)principal;
        }
    }
    return user;
}

Disagree answered 18/12, 2009 at 10:28 Comment(2)

But I don't understand how you apply an acl to a group in your case ? – Helbonnas 18/12, 2009 at 11:6

I don't really use an acl, but group and user are both entities and have a (bi-directional) relation (managed by hibernate). To determine whether the user can perform special actions on a group I check whether the current principal is a moderator of that group (i.e. the group is contained in the 'moderates' collection of the user). So the list of moderators of each group is basically the 'ACL' for that group and that is managed in the database, not in the spring security config. – Disagree 18/12, 2009 at 12:12

Recommended topics

Hot tags