I understand, to use Spring security ACL, we create 4 mandatory tables (acl_*) in database. When a new object is created the entry is made in table 'acl_object_identity' and the security authorization rules are in table 'acl_entry' such as which user/role can read/write an object. The rules are later validated when any user tries to get or update the object.
In most of the examples online, the entries in table are done through SQL, which will not be case always in production
Question is about insert?
I think at point (such POST method in controller) of object creation two things needed:
- Check user is authorized to create object, which can be done using Spring security but not spring security acl
- Insert entries in acl_object_identity & acl_entry tables. This is extra code (outside spring security acl code) and be done in (ideally) same transaction as insert of new object is done in DB
Once above two are done, the spring security acl is used while validating read/update (GET, PUT, DELETE, etc. on previously created object) requests.
Is my understanding correct?
