Reputation: 3450
Merits and demerits of using java.security.acl in a Java EE project
I'm going to implement Access Control List using java.security.acl for displaying permitted items in a user account page.
For instance, there are some users and user groups and the users as well as the groups can have some permissions. There are some links in the user account page, they are add, delete, edit and view. The user account page is same for all users, but the links (add, delete, edit and view) will be displayed differently according to the user permission.
I can achieve this task with collection framework. I'm going to implement it with java.security.acl in an initial development of an ERP (enterprise application). I want to know whether there will be any security loop hole or something with this implementation (even in future). Why I doubt is that when I visited a site which says The use of this package is not recommended.
Is there any advantage of using this package instead of collection framework? Is there any case which needs the implementation of this package in a Java EE project? All your recommendations, suggestions and advices are welcome.
Upvotes: 3
Views: 1680
Answers (1)
Reputation: 3131
I guess it might be too late to provide an answer, but I came across the question and I had just been reading up things on ACL.
First of all, the classes in the java.security.acl have been superseded by the classes in the java.security packages As mentioned here. As a general policy, while doing new development, I prefer to use only the latest APIs.
Second; the classes in the java.security packages are probably meant only for securing the system resources like file I/O and network I/O or printers and so on. Securing your application's domain object is not what they were meant for, as mentioned in the last paragraph here.
You could look into spring-security-acl for this purpose, or roll your own solution (as you mentioned in the question).
Is there any advantage of using this package instead of collection framework?
Well, depends on what you are trying to achieve, but, in your case, the question is not relevant.
Is there any case which needs the implementation of this package in a Java EE project?
No, not required unless you need to access resources on the client-side, or planning to use custom socket-based communications with SSL/TLS.
Upvotes: 4
Related Questions
- java.security vs javax.security
- Access Control-j2ee
- How to manage a large number of permissions?
- Does Java EE security model support ACL?
- Should I use Security Manager in Java web applications?
- Java EE Security - Which method to use?
- Performance of Spring Security's ACL
- spring-security: how much customization is wise?
- The fittest use case for using java.lang.SecurityManager?
- Good ACL implementation in Java