Translations of this page:

A simple Spring Security 3.0 ACL Tutorial

In October 2008 Polish developer Grzegorz Borkowski published a simple Spring ACL (Access Control List) tutorial based on Spring Security 2.0. The great thing about this tutorial is that it shows a Spring ACL example without using a backing database. Not every ACL example will need a database, what about a filesystem where ACLs are stored in the file metadata?

Although changes to Spring Security 3.0 were not that great the tutorial no longer worked “out of the box”. I've updated Grzegorz code as simply as possible so this now runs on v.3. I've also included some additional notes.

The main change is to BasePermission, which no longer register's itself with the SpringSecurity subsystem. Instead it is injected into a PermissionFactory which does the registration. This class doesn't really do any more in this implementation. Normally we would implement the readAclById method in a class implementing the LookupStrategy inteface and the PermissionFactory would be injected into this class. The LookupStrategy would then be injected into the Service Layer.

Method Calls

Spring will call the InMemoryAclServiceImpl constuctor when reading the spring-security.xml file to create the bean.

  • This method creates 4 object identies - empl1…4
  • creates acls for manager1 and 2, it adds Object Identities for employee 1 & 2 to acls for manager1 and employee 3 & 4 for acl for manager2 with Extended permission of ACCEPT
  • These are put into a Map for later retrieval

In the test, before the accept report (mgr1/empl1) etc methods are called Spring Security has injected the following calls


There is a single ObjectIdentity: empl1 / User.class and two Sids → PrincipalSid: manager1 and ROLE_MANAGER

The ObjectIdentity is added to a list and the method InMemoryAclServiceImpl.readAclById(LIst<ObjectIdentity>, List<Sid) is called. Sids are ignored in this method (this is the same as the Jdbc implementation).

We loop over the list of Objects, well there is only one: empl1, to see if any of the Acls created in the constructor contains the Object identity. The result is a Map of <ObjectIdentity, Acl>. We match with “acl1” → empl1


Permission contains ExtendedPermission.Accept, Sids are Principal:manager1 and GrantedAuthoritySid:manager, administrativeMode is falseFor each Permission and for each Sid we loop over AccessControlEntry (here we have are extended permission configured for ace1 in the constructor above) and the principal sid is manager1 looking to see if the permission is granted. Which it is, in this case.

Source Code:

tech/java/spring-security-3.0-acl-tutorial.txt · Last modified: 2011/04/29 15:00 by davidof
Recent changes RSS feed