Using AOP with Spring Security ACL

Question

I'm quite new to the Spring Security framework, and especially ACLs. After a few hours of reading I think I grasped most of what I need to do to start securing my application.

However something bothers me: while it's very easy to find usage descriptions on how to read the ACL permissions (via @PreAuthorize for example), it starts getting confusing when you want to create and persist them.

The Spring Security manual tells us they don't want to bother with any standard but we are encouraged to use AOP. Many tutorials and answers here rather use the AclService directly inside their business code, destroying the "separation of concerns" principle in the process.

So what should I do ? How do the pros do ? Should I try defining pointcuts on custom annotations for creation/deletion of ACL entries ? Or should I "pollute" my code with ACL concerns ?

Answer 1

Alright so I now understand much better, after one week of work, how these things work.

First, one shall try to stick with the simple, naive way of using ACLs using the AclService directly inside each service layer method. Building an abstraction helps a lot (basically a grantAccess(username, object, permission,...) method in a @Service bean).

Once everything is secured with ACLs writes and @PreAuthorize/@PostAuthorize/@Secured el tests, then you can start thinking about AOP to clean up your code from all the security concerns. You make up a list of service method using ACL writes and you add Advices to them to have one central place where all the security is handled.

Spring Security ACL is extremely easy to set up and understand, even on an existing project with existing users (you'll have to build a migration script).