Skip to content

ACL sample missing, still relevant? #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Yberion opened this issue Jul 13, 2021 · 4 comments
Closed

ACL sample missing, still relevant? #24

Yberion opened this issue Jul 13, 2021 · 4 comments
Assignees
@marcusdacoregio
Labels
question Further information is requested

Comments

@Yberion
Copy link

Yberion commented Jul 13, 2021

Hello,

Is ACL still relevant nowadays ?

I'm asking this question because there is a reference to "Contacts" and "Document Management System" samples in the doc regarding ACL, but I can't find those samples.

ACL is quite complex and it's hard to use this system without a proper up-to-date sample, so is it still a good system to use if we want to restrict access to a specific object ? (Something like ownership)

Should I use something else ?

Thanks for your time.
@marcusdacoregio marcusdacoregio self-assigned this Jul 13, 2021
@marcusdacoregio marcusdacoregio added the question Further information is requested label Jul 13, 2021
@marcusdacoregio
Copy link
Contributor

Hi @Yberion, thanks for bringing this up.

The ACL module is mostly being maintained by the community right now.
The reason for that is because Spring Security's ACL implementation allows users to determine if access is allowed after the results come back from the database. This works when there is a small number of results, but breaks down when paging is necessary. So what the team recommends is that you go for the Spring Data Integration to query your results. We also have a ticket in Spring Security to automatically update the query.

However, you can still find the ACL samples on this older branch of Spring Security's repository.

I'm closing this but feel free to continue the discussion.

@Yberion
Copy link
Author

Yberion commented Jul 13, 2021
edited
Loading 

So what the team recommends is that you go for the Spring Data Integration to query your results.

So you suggest that the "ownership" of an object should be checked with a Query ? (Something like this ? https://docs.spring.io/spring-security/site/docs/current/reference/html5/#data-query)

Do you mind providing a very little sample of such system ?

I'd like to get the best practice when I'm coding.

What if I have 2 ROLES, like ROLE_1 and ROLE_2.

  • ROLE_1 can WRITE_ARTICLE, EDIT_ARTICLE and READ_ARTICLE
  • ROLE_2 can READ_ARTICLE

But, people with ROLE_2 are allowed to read an article only if someone with ROLE_1 allowed it.

How would you allow that with a Query ?

@marcusdacoregio
Copy link
Contributor

I think in your scenario SpEL would work:

@Service
public class ArticleSecurityService {
    public boolean canReadArticle(Long articleId) {
        ... apply as many checks as you want to see if the current user can read the article
    }
}

@Service
public class ArticleService {
    @PreAuthorize("@articleSecurityService.canReadArticle(#articleId)")
    public Article getArticle(Long articleId) {
        ... returns the article
    }
}

This way you can improve your permissions more easily.
Does it makes sense for you or do you think ACLs would fit more in your scenario?

@marcusdacoregio
Copy link
Contributor

Just a heads up that I've added those two ACL samples to be included in this repository. This is the ticket for it #22

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marcusdacoregio marcusdacoregio

Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Yberion @marcusdacoregio