Springsecurity ACL Persistence: hibernate Implementation of spring Security ACL

This article focuses on how to use hibernate in the micrite
Medium
Implement the SS (Spring Security) ACL, the software version is spring-security-2.0.5.RELEASE
And micrite-0.11
. Implementation
The following three examples are used for reference:

• Contacts
  Contact Management (important reference)
  The official SS example controls the permissions of different users to view, modify, delete, and manage contacts.
• DMS
  Document Management System
  In the official SS example, compared with contract, the function is relatively simple and mainly reflects the concept of ACL inheritance. For example, the ACL permission of a document can inherit the permission of its directory.
• Springstart
  Account Management for employees and customers (important reference)
  The postgresql-based example provided by denksoft is described in detail.
  .

They all use the default ss jdbc for ACL data persistence, while the micrite persistence layer uses hibernate. To implement ACL, You need to implement the default SS
ACL data persistence interface, otherwise there will be two persistence methods in a system (like springstart), which is a bit unacceptable.
The SS development team once discussed this issue. It seems that there is no change plan in the short term. Therefore, you can only do it yourself.

Create a table

To implement the ACL, you need to create the following four tables:
acl_sid
acl_class
acl_object_identity
acl_entry

For more information about the table structure, see schema.
Documentation
And er
Digoal
(Based on derby ).
Micrite uses Velocity
Template
Multiple database scripts are generated and saved in the following directory of the installation package.
path: ./dbscripts

Create object class

In addition to creating the corresponding entity classes for the above four tables, create an abstract class abstractsecureobject.
,
If multiple ACL-protected objects existapplicationContext-security.xml
File Configuration
You only need to configure one abstractsecureobject so that other protected object classes can inherit it.
Abstractsecureobject only requires one ID attribute so that the ACL can obtain the id value of the protected object instance.

package org.gaixie.micrite.beans

Add Dao

Add the corresponding Dao interface and implementation class for each ACL object class.

package org.gaixie.micrite.security.dao
IAclSidDAO.java
IAclClassDAO.java
IAclObjectIdentityDAO.java
IAclEntryDAO.java

package org.gaixie.micrite.security.dao.hibernate
AclSidDAOImpl.java
AclClassDAOImpl.java
AclObjectIdentityDAOImpl.java
AclEntryDAOImpl.java

For details about the method, see micrite.
API documentation
.

Implement the ACL data persistence Interface

We need to implement two ACLs for Data Persistence:

• Aclservice
  Reads an ACL instance.
• Mutableaclservice
  Creates and stores ACL instances.

First, create an interface isecurityaclservice.
,
When a new protected object instance is added, this interface is called to realize the persistence of permission information and inherit the SS mutableaclservice interface.
To.

Next, create an implementation class for the data persistence interface of two ACLs:

package org.gaixie.micrite.security.service.impl
AclServiceImpl.java
MutableAclServiceImpl.java

• Aclserviceimpl
  The key is to re-implement the aclservice interface.
  public Map readAclsById(ObjectIdentity[] objects, Sid[] sids);
  
  In SS, this method is implemented by default by calling a basiclookupstrategy
  Of
  Class to read the ACL instance information. Here we call the relevant Dao directly to implement this function. The reason why the basiclookupstrategy class is omitted is that the SS is based on
  JDBC to obtain data, in addition to some ANSI
  In addition to SQL, we also need to convert the result set of the resultset to the corresponding ACL instance, and we use hibernate to retrieve the object instance directly through Dao. The code is better
  The default implementation is much simpler. (The benefits of Hibernate are finally reflected !!!)
• Mutableaclserviceimpl
  All of these methods must be rewritten based on hibernate. Since they implement the custom isecurityaclservice interface, they are implemented much more than the default JDBC Method of SS.
  Two methods:
  public void addPermission(AbstractSecureObject securedObject
    , Permission permission, Class clazz);
public void addPermission(AbstractSecureObject securedObject
    , Sid recipient, Permission permission, Class clazz);

If you understand the meaning of the above acl4 entity classes and are familiar with hibernate, you can easily understand the two implementation classes and compare them with the default JDBC Implementation of SS.
Currently, micrite has not implemented the aclcache interface, which can greatly improve the performance of obtaining ACL instances.

Modify the xml configuration file

Finally, modify the two configuration files.

• ApplicationContext-security.xml
  
  This configuration file adds afterinvocationmanager content to process the returned result set after the intercepted method is executed.
  ACL filtering.
• ApplicationContext-security-bean.xml
  
  The only thing you need to note about this configuration file is securitymutableaclservice.
  It actually corresponds to the aclservice in the SS configuration file. They are implementation classes of the ACL data persistence interface mutableaclservice.
  Spring Automatic loading method, so no need to construct parameters. It is inapplicationContext-security.xml
  File
  Is frequently referenced.

Add a roleAFTER_ACL_COLLECTION_READ
All methods that need to filter the ACL result set will be bound to this
Role.
So far, all the ACL modifications have been completed.

Test ACL

The following steps are implemented: different users can only see their own roles. The Administrator group (role_admin) can view all roles.

1. Select an object class role for ACL protection
   ,
   Allow role to inherit abstractsecureobject
2. Add methods to intercept and bind them to rolesAFTER_ACL_COLLECTION_READ
   , Either through the interface or SQL command.
   Note that at least one method to intercept is to return the result set of the role object, as shown in figureList(Role)
   OrSet(Role)
   .
   See:
3. Modify roleserviceimpl
   Class
   Inadd(..), delete(..)
   Method. After adding or deleting a role, the corresponding ACL object is also added or deleted. By calling
   The isecurityaclservicede method can be easily implemented.
4. Compile and run the modified Code. log on to the system with admin, add several roles and users, and log on with different users to check whether the results are correct.

References

[1] http://code.google.com/p/micrite/wiki/Permissions

[2] http://en.wikipedia.org/wiki/Access_Control_List