I'm trying to set up our custom version of spring-security but I can't quite understand why an ACL has an identifier that is even supposed to be a primary key if, as I understand it, an ACL itself is never persisted directly in any way but is rather a view on a subset of ACL_Entry
s.
As far as I understand it, an ACL
is an access control list. Meaning a list of SID
s having Permission
s for OID
s. Right?
The underlying datastructure used by spring-security defines a开发者_如何学运维n SID
and an OID
(in combination with a Class
identifier). Those two together with a permission and the granting flag are called an access control entry or ACE
and get persisted inside the acl_entry
entity.
Inside the application I ask spring-security(or rather my own implementations of their interfaces) to get me all permission settings for a set of OIDs and SIDs and the result is a list contrived of SID-OID-permission-granting entries (aces) and thus called access control list. Now really I don't see how or why any kind of id comes into play here.
Am I missing something importand?! Please help me understand!
Is it maybe that one SID has a number of OID+permission+granting entries and thus is owner of its ACL? Or one OID has its SIDs and their permissions assigned to grouped into one ACL?
Also: What's all this hierarchy and parent stuff supposed to do? I guess it has to do with my identifier question, but I don't really see how acls can ber hierarchycal, if an acl is just a temporary subset. And why would I want to have a hierarchy betweens acls anyway?
Edit:
Appearently the solution to half my question is: An ACL is identified via the OID's primary key as one ACL always shows how that Object can be accessed.
However I still wonder why I would need a hierarchy or an owner for that matter.
精彩评论