Spring Security - role overflow and ACL trapping?

Question

Spring Security - role overflow and ACL trapping?

I have a three-tier application that requires security permissions to be placed on different domain objects.

I am using Spring ACL implementation or folding my own, it seems to me that ACL-based security can only be used to authorize (service) methods and cannot be used to authorize URLs or web service requests. I think this is because how the web service call checked the ACL before it dampened the XML payload? In addition, all Spring Web security access examples in the Spring documentation provide role-based URL protection.

Is it typical to use Spring roles to protect web presentations and web service calls while using ACLs to protect business methods? Is this too much?

+3

spring security oracle

Hdave Jun 01 '10 at 2:03

source share

1 answer

rzzmttzz · Accepted Answer · 2010-06-01T02:37:24+0000

Is it typical to use Spring roles for secure web presentation and website service calls, while using ACLs to provide business methods?

Yes.

This is easy to do in your controller by combining query matching and secure annotations:

@RequestMapping("/some/url")
@Secured( {"ROLE_GET_THE_DATA"} )
public ModelAndView getTheData(HttpServletRequest request,
                             HttpServletResponse response) throws Exception {    
    // get the data
    // return it in your mav
}

Adding secure annotations to data access objects (DAOs) will complete the security development.

Is this redundant?

. . , DAO .

.

Spring Security - role overflow and ACL trapping?

More articles: