0

Using spring ACL I can configure permissions for some actions on subject. My application requires customization of access rights to a subject very rarely. So i do not want fill ACL for default dependency, but need special instruction if ACL is empty.

For example, we have

branch1
|-doc1
|-doc2
|-doc3
branch2
|-doc1
|-doc2
|-doc3

user1 belongs to branch1
user2 belongs to branch2

By default implementation user1 should have an access to all documents in branch1 (if ACL is empty). user2 -> branch2. Sometimes user1 needs special access. He needs access to branch2.doc3 and he should have a restriction for branch1.doc2!

If I try implement solution in similar way with ACL recommendations I need add permissions for each user to each document in correspond branch. This way is very ugly because of normalization && permission. So I want implement solution where ACL logic used for cross references only and default permissions allows access for any user to each document in same branch...

By default I can use method annotations like @PostAuthorize or @PreAuthorize with checks like hasRole, hasPermission, but I can not build condition where restriction by permission is stronger than role or apply filter to request based on relations user-branch.

I know this idea should be possible to implement, but I did not find correspond description or trick example how to implement it...

Sergii
  • 7,044
  • 14
  • 58
  • 116

1 Answers1

0

I'm going to make a recommendation first:

My application requires customization of access rights to a subject very rarely. So i do not want fill ACL for default dependency, but need special instruction if ACL is empty.

Not sure this is a great idea (not saying you must not, just offering caution). This entails special logic (these guys are authorized this way, and those guys are authorized that way) which adds complexity to your app. I'll explain something about Spring Security ACLs you may not be aware of and then offer an alternate approach.

You can solve what you're asking for using the notion of parent ACLs. From the docs:

ACL_OBJECT_IDENTITY stores information for each unique domain object instance in the system. Columns include [...] the parent, a foreign key to the ACL_SID table to represent the owner of the domain object instance, and whether we allow ACL entries to inherit from any parent ACL. We have a single row for every domain object instance we’re storing ACL permissions for.

In this way, branch2 can have an acl, and branch2.doc3 can have an acl that inherits from branch2.

Using this you can chain parents, and have a root object that has your default ACL. In other words, all branches have a parent of a root object with the default ACL.

The advantage to using this approach is that it scales easier as complexity grows. You still enforce a single way, and can use arbitrarily complex logic to define your acls.

Taylor
  • 3,942
  • 2
  • 20
  • 33
  • I know, that ACL is able to cover my first need. It works! **BUT**! I have to process to many subjects in this way (>200 000). My application is very sensitive to performance issue. If I can provide default restriction using role and manage additional permissions & restrictions with ACL than performance would be better. – Sergii Sep 13 '16 at 13:28
  • @Sergii You realize you can Add an AclEntry to a Role, right? The root object above, for example, could grant READ access to ROLE_USER. Apologies if you do understand this, it's not clear from your question and comment. – Taylor Sep 14 '16 at 13:43
  • I like idea to add aclEntry to a Role. I need a time to think about it. ...A lot of unclear parts in implementation... I'll answer a few day later. – Sergii Sep 15 '16 at 14:45
  • Sorry, I can not implement this idea. If you have an example in git or can implement your idea, please share your solution for your suggestion. – Sergii Sep 20 '16 at 15:47
  • Hi, perhaps I was unclear. An Ace has a SID (an interface), which identifies the entity to which the permission is granted (or denied if isGranted returns false). Spring Sec offers two impls of SID, one of which is http://docs.spring.io/autorepo/docs/spring-security/3.2.6.RELEASE/apidocs/org/springframework/security/acls/domain/GrantedAuthoritySid.html This can be pointed to a GrantedAuthority(i.e. a Role), for example, ROLE_USER, thereby authorizing everyone. – Taylor Sep 21 '16 at 14:57