Using Spring Security ACL - how to assign READ permission for an object to all users (registered and anonymous)?

Question

What is the best way to give all users (registered and anonymous) READ permission for an object? I am working on a system where users can create items that are viewable by anyone, but only editable by the creator or admin users.

One solution that comes to mind is Spring gives unauthenticated users role ROLE_ANONYMOUS, I can change it to be ROLE_USER and give and also give it to all of my authenticated users, that way everyone is ROLE_USER. Then all the publicly viewable entities would get READ permission inserted for ROLE_USER and from there I can use groups (GrantedAuthoritySid) to determine whether you have access or not (everyone would have access).

I am wondering if there a better way to achieve that without giving READ permission to ROLE_USER over each public object?

Answer 1

If the objects in question can be viewed by anyone then you do not need to apply ACL to them. Apply ACL only to operations that modify such objects.

If the visibility (public/private) is configurable per object, you can use dedicated flag for it and drive visibility by this flag (e.g. by means of expression-based access control).

However, if you wanna stick to ACL also for such objects, you can create dedicated role (e.g. ROLE_READER) and assign the role dynamically to both anonymous and authenticated users when being authenticated.

See class org.springframework.security.core.authority.mapping.SimpleAuthorityMapper that can be configured with default authority (ROLE_READER in your case) to be assigned to all users. Then use the mapper during your authentication process. Since you did not specify the way your users are being authenticated, I suppose username/password schema and default org.springframework.security.authentication.dao.DaoAuthenticationProvider. if you look at that class closely, you find out that you can set an authority mapper to be used.

In case of anonymous users, you can set default authorities as constructor parameter of org.springframework.security.web.authentication.AnonymousAuthenticationFilter.