Spring Security Hierarchy Role system

Question

I want your help to build a security environment that a think quite complex, and I'm wondering if I can only use spring hierarchy role system or even spring ACL...

I need to build a security environment with lots of roles, for example:

• lvl 1 - (group 1, group 2...)
• lvl 2 - (company 1, company 2...)
• lvl 3 - (functionality 1, functionality 2...)
• lvl 4 - (method 1, method 2...)
• lvl N - (N)

The admin user will create users with dynamic roles for example:

user 1 has = group 1 > company 1 > func 1, func 2 > method 1
user 2 has = group 2 > company 1, company 2 > func 3 > method 1, method 2

This structure can easily grow to even particular details and I'm afraid of to manage all this things.

Any ideas of how to solve it with spring security?

Answer 1

If it's something really dynamic then Spring Security ACLs are a good way to do it. For each group, company, func, method, etc. create a granted authority in table ACL_SID.

Then for each user create an entry in ACL_SID with the is principal flag set to true.

For each domain object in the system that you want to protect, create an ACL in ACL_OBJECT_IDENTITY and grant the correct privileges by inserting rows in ACL_ENTRY.

It's possible to insert both granting and revoking entries in ACL_ENTRY, and the order matters meaning it's possible to revoke access to a group in line 0 and that will take precedence over a grant on line 1.

The ACLs can also be composed in hierarchies and can be set to inherit or not from the parent.

In general ACLs are used whenever Role based access solutions don't provide sufficient flexibility for a given use case.