Reputation: 3302
How to grant ACL in Spring Security without an explicit authentication?
When I create a new entity I would like to grant ACL permissions (aka ACL entry) to this new entity. So far so easy :-)
The problem arises in the following scenario:
- An end user can create the entity without being authenticated on the web site.
- The service that persists this new entity hence runs without an authentication context.
- But: to grant ACEs one needs to have an active authentication context.
Spring's JdbcMutableAclService uses SecurityContextHolder.getContext().getAuthentication() to obtain the current authentication, so there seems to be no way to circumvent this requirement.
Any ideas are greatly appreciated!
Upvotes: 3
Views: 723
Answers (1)
Reputation: 3302
Found the answer myself:
In a web application there always is an authentication context. If a user is not authenticated the authentication is org.springframework.security.authentication.AnonymousAuthenticationToken which has a single granted authority: ROLE_ANONYMOUS.
Hence it is simple to grant this user the right to create ACLs. Just configure the PermissionGrantingStrategy to use this role to authorize requests.
Upvotes: 2
Related Questions
- Granting permission in Spring Security Acl
- How to implement Custom spring security acl?
- Spring Security: Set GrantedAuthorities
- spring security add Granted autherity
- configuring spring security only for authorisation?
- Spring security authorization without authentication
- spring security acl administration permission
- Spring security authorization without authentication using role only
- Spring object level permissions without spring security ACL
- How to change the Permisions in Spring Security ACL?