开发者

Is Spring ACL a good ACL implementation? [closed]

开发者 https://www.devze.com 2023-01-20 18:51 出处:网络
Closed. This question is opinion-based. It is not currently accepting answers. 开发者_Python百科 Want to improve this question? Update the question so it can be answered with facts and cita
Closed. This question is opinion-based. It is not currently accepting answers. 开发者_Python百科

Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.

Closed 7 years ago.

Improve this question

I have read about Spring ACL but it does not seem to be very competent. For example:

  1. No way to list all objects of type X with permission Y
  2. No way to automatically create the schemas for new deployments

What are you using for ACL? Is it clever to have the ACL so decoupled from the domain model?


We attempted to use the Spring ACL model and found it unwieldy. We ended up rolling our own, much simpler (but also less generic), implementation and then writing the Spring Security pieces (accessDecisionManagers, Voters, Interceptors) to handle our schema. Hope that helps.


You might want to have a look at Apache Shiro.

From the site: Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. With Shiro’s easy-to-understand API, you can quickly and easily secure any application – from the smallest mobile applications to the largest web and enterprise applications.

Many people prefer the way Shiro handles permissions


If using Hibernate, you can automatically run the acl schema against the db by adding this to persistence.xml:

<property name="hibernate.hbm2ddl.import_files" value="/import.sql"/>

<property name="hibernate.hbm2ddl.import_files_sql_extractor" value="org.hibernate.tool.hbm2ddl.MultipleLinesSqlCommandExtractor" />

and adding the schema to /resources/import.sql

You can list all objects of type X with permission Y like this:

select 
  *
from acl_entry a 
join acl_object_identity b on a.acl_object_identity = b.id
join acl_class c on b.object_id_class = c.id
where
  class = X
  and mask = Y

However, Spring Security ACL is fundamentally flawed in terms of Row Security, due to pagination issues. You should do Row Security in the database with views or built-in tools if your db supports them.

0

精彩评论

暂无评论...
验证码 换一张
取 消