In October 2008 Polish developer Grzegorz Borkowski published a simple Spring ACL (Access Control List) tutorial based on Spring Security 2.0. The great thing about this tutorial is that it shows a Spring ACL example without using a backing database. Not every ACL example will need a database, what about a filesystem where ACLs are stored in the file metadata?
Although changes to Spring Security 3.0 were not that great the tutorial no longer worked “out of the box”. I've updated Grzegorz code as simply as possible so this now runs on v.3. I've also included some additional notes.
The main change is to BasePermission, which no longer register's itself with the SpringSecurity subsystem. Instead it is injected into a PermissionFactory which does the registration. This class doesn't really do any more in this implementation. Normally we would implement the readAclById method in a class implementing the LookupStrategy inteface and the PermissionFactory would be injected into this class. The LookupStrategy would then be injected into the Service Layer.
Spring will call the InMemoryAclServiceImpl constuctor when reading the spring-security.xml file to create the bean.
In the test, before the accept report (mgr1/empl1) etc methods are called Spring Security has injected the following calls
There is a single ObjectIdentity: empl1 / User.class and two Sids → PrincipalSid: manager1 and ROLE_MANAGER
The ObjectIdentity is added to a list and the method InMemoryAclServiceImpl.readAclById(LIst<ObjectIdentity>, List<Sid) is called. Sids are ignored in this method (this is the same as the Jdbc implementation).
We loop over the list of Objects, well there is only one: empl1, to see if any of the Acls created in the constructor contains the Object identity. The result is a Map of <ObjectIdentity, Acl>. We match with “acl1” → empl1
Permission contains ExtendedPermission.Accept, Sids are Principal:manager1 and GrantedAuthoritySid:manager, administrativeMode is falseFor each Permission and for each Sid we loop over AccessControlEntry (here we have are extended permission configured for ace1 in the constructor above) and the principal sid is manager1 looking to see if the permission is granted. Which it is, in this case.
Source Code: springacl.zip