Spring object level permissions without spring security ACL

Question

I want to implement object level permissions in my project. More specifically, there would be a User, a School and a Student class. Each Student will belong to one school. Each User of the system will also belong to a School. So each User of the system will have access only to the Students belonging to his School.

I have read in a number of places that this could be done with the help of spring security ACL. This requires creating a number of ACL_ tables in my database (4 if I am not wrong) and having specific permissions for each one of my objects ! So I'd have as many rows in my ACL_ENTRY as many objects !

This is an overkill for my application since the object will already know who has and has not access to it - why should I also an extra acl_entry? What I want is a check to see if the object to be updated belongs to the specific user and return either allow it or not. The same goes with the selects - just return objects belonging to the specific user.

From what I can understand, this has to be done in my data access layer -- if I do it anywhere else I would have problems with queries (since I would need to check all the objects one by one to see if they belong to the specific user). For my data access, I am using spring-data, with interfaces that extend the JpaRepository. Could I add my own methods for save / select? How can I get the User object from these methods? Has anybody done something similar in order to help me get started ?

Answer 1

Just a try. You can achieve object level security by implementing spring AOP in your application. Based on your requirements I will provide one example here.

//Execute before user model access

@Before("within(org.school.model.*)")
 public void doCheckSchoolUsers() throws <any custom exception or Exception class>
 {
//Write your code here to get the current user and validate the user based on   your business requirements. 
if(the user is not authorized)
        throw new Exception<or your custome exception> //You can catch this        exception any of your filter and redirect accordingly. 

You can validate your student object in the following two ways.

1. If your method returns Student object or along with some object collections, you can catch all objects returns by the method.

   @AfterReturning(pointcut = "execution(* 
   com.mkyong.customer.bo.CustomerBo.addCustomerReturnValue(..))",returning= "result")
    public void logAfterReturning(JoinPoint joinPoint, Object result) 
    {
   System.out.println("logAfterReturning() is running!");
   System.out.println("hijacked : " + joinPoint.getSignature().getName());
   System.out.println("Method returned value is : " + result);
   System.out.println("******");
   

   }

2. Getting params in the aop method.

   public String log(ProceedingJoinPoint jp) throws Throwable 
   {
         System.out.println("Spring AOP: Around advice");
          Object[] args=jp.getArgs();
         if(args.length>0){
           System.out.print("Arguments passed: ");
           for (int i = 0; i < args.length; i++) {
             System.out.print("Arg"+(i+1)+":"+args[i]);
             args[i]=":Spring AOP removed the argument";
           }
        }
        Object result=jp.proceed(args);
        return result.toString()+" :Result is also modified";
   }
   

For more details : http://docs.spring.io/spring/docs/2.5.5/reference/aop.html