spring-security-acl | 易学教程

Spring Boot with AclPermissionEvaluator resulting in IllegalStateException: No ServletContext set

阅读更多关于 Spring Boot with AclPermissionEvaluator resulting in IllegalStateException: No ServletContext set

问题 Hello experts, I'm currently learning Spring Boot and I want to use it with Spring Security ACL. Following the documentation of Spring Security and a tutorial on Baeldung.com, I think I got an understanding about what is needed. I also looked into the DMS example of Spring. I stumbled across another example by searching for a solution. Based on this information, I have build my application. For reference, you can find the current application on GitHub. The current issue When I start the

How to get a List of Objects that a user can access using ACLs related tables

阅读更多关于 How to get a List of Objects that a user can access using ACLs related tables

问题 I'm designing a system that has a lot of requirements around user management/permissions, so I decided to use Spring Security ACL to manage the permissions at the Domain Objects level. Although, using ACLs to maintain the relations between Users and Entities force us to rely on that to present the data on the UI. The PostFilter solution that is provided by Spring Security does a good job filtering the objects that a User can/cannot see but it has a big performance issue when we're dealing

Using Spring Security ACL with Spring Data REST

阅读更多关于 Using Spring Security ACL with Spring Data REST

问题 I am trying to authorize apis exposed by Spring Data REST. So far I am able to do role-based authorization i.e: @RepositoryRestResource(path = "book") public interface BookRepository extends JpaRepository<Book, Long> { @PreAuthorize("hasRole('ROLE_ADMIN')") <S extends Book> Book save(Book book); } Also in the same project i have a service layer with ACL mechanism, which is working. I am unable to use PostFilter expression with Spring Data REST i.e: @PostFilter("hasPermission(filterObject,

How to implement ACL spring security to share an object among group of users without creating many entries in ACL_Entry table

阅读更多关于 How to implement ACL spring security to share an object among group of users without creating many entries in ACL_Entry table

问题 Similar to the problem mentioned as below How to implement ACL at a group level? E.g. only teachers in school A can update school A's calendar I am trying to solve below scenario Using acl spring security We got a scenario to share the students result to group of teachers.In this scenario when a teacher login he can see the result only if teacher have read permission on Result object.If we need to share the result to group of teachers having 10 members in the group with read permission we

Spring Security ACL on App Engine Datastore

阅读更多关于 Spring Security ACL on App Engine Datastore

问题 We are using Spring Security ACL infrastructure in conjuction with App Engine Datastore. We do not use low-level Datastore API but rather we use Objectify framework to access Datatstore. We need to transform Spring Security ACL model (suitable for RDBMS) into model more suitable for schema-less object-oriented Datastore. So far we have ended up with two entities described below. Acl id: Long domainObject: Key (ancestor/parent) entries: List<AclEntry> (embedded) owner: String AclEntry sid:

How to implement ACL at a group level? E.g. only teachers in school A can update school A's calendar

阅读更多关于 How to implement ACL at a group level? E.g. only teachers in school A can update school A's calendar

问题 Trying to solve the following problem using Spring Security ACL: only teachers in school A can update school A's calendar. Is it possible to implement such permission structure without adding an ACL entry for each teacher to have update permission over that school's calendar (approach #1)? Or is it possible to define school A group, assign every teacher in that school to that group and give the group write permission over the school's calendar (approach #2)? Approach #2 is preferable because

How can I paginate with Spring Security, Hibernate and row level ACL

阅读更多关于 How can I paginate with Spring Security, Hibernate and row level ACL

问题 I'm reading about Spring Security and wonder whether it's possible to use Spring ACL together with hibernate and pagination. The resulting SQL is surely scary but possible to be auto-generated. It's even possible to use hierarchical ACL if the database supports recursive query evaluation. Using a post filter is no solution since it breaks pagination and is an unnecessary overhead compared to ACL filtering inside the database. So I actually have the pieces to build a solution. I want to know

How can I paginate with Spring Security, Hibernate and row level ACL

阅读更多关于 How can I paginate with Spring Security, Hibernate and row level ACL

I'm reading about Spring Security and wonder whether it's possible to use Spring ACL together with hibernate and pagination. The resulting SQL is surely scary but possible to be auto-generated. It's even possible to use hierarchical ACL if the database supports recursive query evaluation . Using a post filter is no solution since it breaks pagination and is an unnecessary overhead compared to ACL filtering inside the database. So I actually have the pieces to build a solution. I want to know whether somebody has already done it. Links: Similar question from 2012 without response link list

When should I implement Spring Security ACL in my application?

阅读更多关于 When should I implement Spring Security ACL in my application?

问题 Spring Security ACL looks very powerful, and easy to implement when you can stick to their database implementation. However it appears to become much more complicated when you have to implement your own Acl and AclService (see for example this (old) very basic tutorial of only ~26 pages) and it seems difficult to find references and examples for it (that tutorial was from 2008). In our application for example, users have roles and belong to departments. Most of the time, they are allowed to

When should I implement Spring Security ACL in my application?

阅读更多关于 When should I implement Spring Security ACL in my application?

Spring Security ACL looks very powerful, and easy to implement when you can stick to their database implementation. However it appears to become much more complicated when you have to implement your own Acl and AclService (see for example this (old) very basic tutorial of only ~26 pages) and it seems difficult to find references and examples for it (that tutorial was from 2008). In our application for example, users have roles and belong to departments. Most of the time, they are allowed to perform some operations on objects that belong to their department based on their roles. In all cases,