Spring ACL with combined handling of GrantedAuthority and Principle in acl_sid table

Question

Can we do both Principle and as-well-as GratedAuthority in acl_sid and give permissions for a object in spring acl security ?

Answer 1

Yes, we can do that. ACL_SID table can take SIDs that are either roles or users.

Here is a sample insert when it is role:

insert into acl_sid (principal, sid) values (false, 'ROLE_ADMIN');

If it is a user principal then the insert will be:

insert into acl_sid (principal, sid) values (true, 'bob');

You can also do runtime manipulation of ACL fields using mutable ACL.

Here is a sample:

// Prepare the information we'd like in our access control entry (ACE)
ObjectIdentity oi1 = new ObjectIdentityImpl(Foo.class, new Long(44));
ObjectIdentity oi2 = new ObjectIdentityImpl(Bar.class, new Long(44));
Sid user = new PrincipalSid("bob");
Sid adminRole = new GrantedAuthoritySid("ROLE_ADMIN");
Permission p1 = BasePermission.READ;
Permission p2 = BasePermission.ADMINISTRATION;

// Create or update the relevant ACL
MutableAcl acl1 = null;
MutableAcl acl2 = null;
try {
  acl1 = mutableAclService.readAclById(oi1);
} catch (NotFoundException nfe) {
  acl1 = mutableAclService.createAcl(oi1);
}

try {
  acl2 = mutableAclService.readAclById(oi2);
} catch (NotFoundException nfe) {
  acl2 = mutableAclService.createAcl(oi2);
}

// Now grant some permissions via an access control entry (ACE)
acl1.setOwner(user);
acl1.insertAce(0, p1, user, true);
aclService.updateAcl(acl1);
acl2.setOwner(adminRole);
acl2.insertAce(0, p2, adminRole, true);
aclService.updateAcl(acl2);