Introducing Spring Security ACL

Tram Ho

1. Introduction

Access Control List (ACL) is a list of permissions assigned to an object. The Spring Security Access Control List is a Spring component that helps solve Domain Object Security problems. Put simply, Spring ACL helps determine permissions for specific users / roles on a domain object.

For example, users who have the role of administrator (Admin) have the right to read (READ) and edit (WRITE) all messages in a Central Notice Box, but normal users can only read these messages. And some people who have the role of Editor will be allowed to edit certain types of messages.

Therefore, different types of users will have different manipulation rights on a specific object. For the simplest, we will use Spring ACL to solve problems like this.

In the following article, I will demo a small problem about managing user information and system resources. I will focus only on the main components and steps to configure ACL security using the Spring Boot framework.

2. Configuration

2.1. Database

  • First we need to set up the Database, the first thing is to create a table containing the User’s login information and 3 tables to store the list of access rights in the system.
  • Example data:

1. Role table

2. Permission table

Here I list the domain and each access rights for it

3. User table

I set information and role for 2 users: 001 (admin) and 002 (staff)

4. Role Permission table

The above matrix describes the rights of the system as follows. Staff will only have access to all resources in the system. Manager outside of view can edit Content and Theme. And the Admin will be able to change all resources in the system.

2.2. Server configuration

  • Step 1: We will have to customize the GrantedAuthorirty object of Spring Security to be able to assign more permission lists to the current user instead of just 1 as default.

  • Step 2: Create a CustomEvaluatorService to check the current user’s permissions

  • Step 3: Register the service for Spring Security

2.3. Define your service

In the UserService, I have 2 methods to get information and delete users, you can see on each method I will ask the current user to have READ or EDIT permission on the USER domain or not.

3. Testing

Declare controller to be able to call api from postman

If logged in with the Staff account, when calling to the “localhost: 8080 / users / delete” endpoint, it will definitely fail 403. And it will be normal when you log in with the Admin account.

Share the news now

Source : Viblo