Sunday, January 30, 2011

Spring Security 3: Full ACL Tutorial (Part 1)

In this tutorial we'll develop a simple Bulletin application where various users can create, add, edit, and delete posts depending on their access levels. Our application is a simple CRUD system that utilizes an Access Control List (ACL) to secure domain objects. The corresponding permissions will be retrieved from an external MySQL database. There's a separate database for the Bulletin posts and the ACL itself.

Here's what we'll be doing:
1. Setup a MySQL database containing ACL data
2. Setup a separate database containg the application's data
3. Secure domain objects using Expression-Based Access Control
4. Secure URLs using the intercept-url and Expression-Based Access Control
5. Tackle unexpected issues

We'll be dividing the tutorial in four parts:
Part 1: Functional Specs and the Application Database
Part 2: Spring Security Configuration
Part 3: Spring MVC Module
Part 4: Running the Application

Our system will be built on Spring MVC 3 and Spring Security 3 for the security layer. The primary goal of this tutorial is to help us setup a quick ACL-based application. To achieve that, we'll be relying on standard implementations.

Part 1: Functional Specs

Let's describe the application's requirements first, so that we know our purpose.

In our system we have three roles:
ROLE_ADMIN - provides administrative access
ROLE_USER - provides regular access
ROLE_VISITOR - provides visitor access

We also have three concrete users along with their roles:
john - ROLE_ADMIN 
jane - ROLE_USER 
mike - ROLE_VISITOR 

When john logs-in, he is given the ROLE_ADMIN. When jane logs-in, she is given the ROLE_USER. And when mike logs-in, he gets the ROLE_VISITOR.

Our Bulletin application has three types of posts:
AdminPost - contains an id, date, and message
PersonalPost - contains an id, date, and message
PublicPost - contains an id, date, and message

Here are the simple rules:
1. Only users with ROLE_ADMIN can create AdminPost
2. Only users with ROLE_USER can create PersonalPost
3. Only users with ROLE_ADMIN or ROLE_USER can create PublicPost
4. Users with ROLE_VISITOR cannot create any post
Note: When we use the word 'create', we mean adding a new post.

Here are the complex rules:
1. A user can edit and delete posts that belongs only to them regardless of the role.
2. A user with ROLE_ADMIN or ROLE_USER can edit and delete PublicPosts.
3. We are required to show all posts in the main Bulletin page
a. ROLE_ADMIN can see all posts
b. ROLE_USER can see Personal and Public posts
c. ROLE_VISITOR can only see Public posts

Let's visualize the rules using tables:

An admin has READ and WRITE access to everything, but only READ access to the Personal Posts.

Admin
Post TypeViewAddEditDelete
Adminxxxx
Personalx
Publicxxxx

A regular user has READ and WRITE access to Personal Posts and Public Posts but only READ access to Admin Posts.

User
Post TypeViewAddEditDelete
Admin



Personalxxxx
Publicxxxx

A visitor can only read Admin and Public Posts but no access of whatsoever in the Personal Posts section.

Visitor
Post TypeViewAddEditDelete
Admin



Personal
Publicx



The main problem:
If we focus on the simple rules, the solution looks easy. Just configure a simple http tag with a couple of intercept-url declarations. Here's how we may tackle this problem:

Admin Posts
<security:intercept-url pattern="/krams/admin/view" access="hasRole('ROLE_ADMIN')"/>
<security:intercept-url pattern="/krams/admin/add" access="hasRole('ROLE_ADMIN')"/>
<security:intercept-url pattern="/krams/admin/edit" access="hasRole('ROLE_ADMIN')"/>
<security:intercept-url pattern="/krams/admin/delete" access="hasRole('ROLE_ADMIN')"/>

Personal Posts
<security:intercept-url pattern="/krams/personal/view" access="hasRole('ROLE_ADMIN') or hasRole('ROLE_USER')"/>
<security:intercept-url pattern="/krams/personal/add" access="hasRole('ROLE_USER')"/>
<security:intercept-url pattern="/krams/personal/edit" access="hasRole('ROLE_USER')"/>
<security:intercept-url pattern="/krams/personal/delete" access="hasRole('ROLE_USER')"/>

Public Posts
<security:intercept-url pattern="/krams/public/view" access="hasRole('ROLE_ADMIN') or hasRole('ROLE_USER') or hasRole('ROLE_VISITOR')"/>
<security:intercept-url pattern="/krams/public/add" access="hasRole('ROLE_ADMIN') or hasRole('ROLE_USER')"/>
<security:intercept-url pattern="/krams/public/edit" access="hasRole('ROLE_ADMIN') or hasRole('ROLE_USER')"/>
<security:intercept-url pattern="/krams/public/delete" access="hasRole('ROLE_ADMIN') or hasRole('ROLE_USER')"/>

However if we consider the complex rules, the intercept-url is unable to cope with the complex rules. Why? Because intercept-url is meant to secure at the URL-level. The complex rules are operating at the domain level.

The solution is to use ACL at the object level and intercept-url at the URL-level.

The ACL Database

We'll start our multi-part tutorial by creating a new MySQL database named acl. This database will contain our access control list. It's composed of four tables:
acl_class
acl_sid
acl_object_identity
acl_entry


Let's create our database. Here are the steps:

1. Run MySQL.
Note: I'm using phpmyadmin to manage my MySQL database.

2. Create a new database named acl

3. Import the following SQL script to create the tables:

acl_structure_mysql.sql
-- phpMyAdmin SQL Dump
-- version 3.2.4
-- http://www.phpmyadmin.net
--
-- Host: localhost
-- Generation Time: Jan 26, 2011 at 04:34 PM
-- Server version: 5.1.41
-- PHP Version: 5.3.1

SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO";

--
-- Database: `acl`
--

-- --------------------------------------------------------

--
-- Table structure for table `acl_sid`
--

CREATE TABLE IF NOT EXISTS `acl_sid` (
  `id` bigint(20) NOT NULL AUTO_INCREMENT,
  `principal` tinyint(1) NOT NULL,
  `sid` varchar(100) NOT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `unique_uk_1` (`sid`,`principal`)
) ENGINE=InnoDB  DEFAULT CHARSET=latin1 AUTO_INCREMENT=4 ;

-- --------------------------------------------------------

--
-- Table structure for table `acl_class`
--

CREATE TABLE IF NOT EXISTS `acl_class` (
  `id` bigint(20) NOT NULL AUTO_INCREMENT,
  `class` varchar(255) NOT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `unique_uk_2` (`class`)
) ENGINE=InnoDB  DEFAULT CHARSET=latin1 AUTO_INCREMENT=4 ;

-- --------------------------------------------------------

--
-- Table structure for table `acl_entry`
--

CREATE TABLE IF NOT EXISTS `acl_entry` (
  `id` bigint(20) NOT NULL AUTO_INCREMENT,
  `acl_object_identity` bigint(20) NOT NULL,
  `ace_order` int(11) NOT NULL,
  `sid` bigint(20) NOT NULL,
  `mask` int(11) NOT NULL,
  `granting` tinyint(1) NOT NULL,
  `audit_success` tinyint(1) NOT NULL,
  `audit_failure` tinyint(1) NOT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `unique_uk_4` (`acl_object_identity`,`ace_order`),
  KEY `foreign_fk_5` (`sid`)
) ENGINE=InnoDB  DEFAULT CHARSET=latin1 AUTO_INCREMENT=43 ;

-- --------------------------------------------------------

--
-- Table structure for table `acl_object_identity`
--

CREATE TABLE IF NOT EXISTS `acl_object_identity` (
  `id` bigint(20) NOT NULL AUTO_INCREMENT,
  `object_id_class` bigint(20) NOT NULL,
  `object_id_identity` bigint(20) NOT NULL,
  `parent_object` bigint(20) DEFAULT NULL,
  `owner_sid` bigint(20) DEFAULT NULL,
  `entries_inheriting` tinyint(1) NOT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `unique_uk_3` (`object_id_class`,`object_id_identity`),
  KEY `foreign_fk_1` (`parent_object`),
  KEY `foreign_fk_3` (`owner_sid`)
) ENGINE=InnoDB  DEFAULT CHARSET=latin1 AUTO_INCREMENT=10 ;

-- --------------------------------------------------------

--
-- Constraints for dumped tables
--

--
-- Constraints for table `acl_entry`
--
ALTER TABLE `acl_entry`
  ADD CONSTRAINT `foreign_fk_4` FOREIGN KEY (`acl_object_identity`) REFERENCES `acl_object_identity` (`id`),
  ADD CONSTRAINT `foreign_fk_5` FOREIGN KEY (`sid`) REFERENCES `acl_sid` (`id`);

--
-- Constraints for table `acl_object_identity`
--
ALTER TABLE `acl_object_identity`
  ADD CONSTRAINT `foreign_fk_1` FOREIGN KEY (`parent_object`) REFERENCES `acl_object_identity` (`id`),
  ADD CONSTRAINT `foreign_fk_2` FOREIGN KEY (`object_id_class`) REFERENCES `acl_class` (`id`),
  ADD CONSTRAINT `foreign_fk_3` FOREIGN KEY (`owner_sid`) REFERENCES `acl_sid` (`id`);

After importing the SQL script, you should have the following tables:

4. Import the following SQL script to populate the tables with data:

acl_data_mysql.sql
-- phpMyAdmin SQL Dump
-- version 3.2.4
-- http://www.phpmyadmin.net
--
-- Host: localhost
-- Generation Time: Jan 24, 2011 at 01:28 AM
-- Server version: 5.1.41
-- PHP Version: 5.3.1

SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO";

--
-- Database: `acl`
--

--
-- Dumping data for table `acl_sid`
--

INSERT INTO `acl_sid` (`id`, `principal`, `sid`) VALUES
(1, 1, 'john'),
(2, 1, 'jane'),
(3, 1, 'mike');

--
-- Dumping data for table `acl_class`
--

INSERT INTO `acl_class` (`id`, `class`) VALUES
(1, 'org.krams.tutorial.domain.AdminPost'),
(2, 'org.krams.tutorial.domain.PersonalPost'),
(3, 'org.krams.tutorial.domain.PublicPost');

--
-- Dumping data for table `acl_object_identity`
--

INSERT INTO `acl_object_identity` (`id`, `object_id_class`, `object_id_identity`, `parent_object`, `owner_sid`, `entries_inheriting`) VALUES
(1, 1, 1, NULL, 1, 0),
(2, 1, 2, NULL, 1, 0),
(3, 1, 3, NULL, 1, 0),
(4, 2, 1, NULL, 1, 0),
(5, 2, 2, NULL, 1, 0),
(6, 2, 3, NULL, 1, 0),
(7, 3, 1, NULL, 1, 0),
(8, 3, 2, NULL, 1, 0),
(9, 3, 3, NULL, 1, 0);

--
-- Dumping data for table `acl_entry`
--

INSERT INTO `acl_entry` (`id`, `acl_object_identity`, `ace_order`, `sid`, `mask`, `granting`, `audit_success`, `audit_failure`) VALUES
(1, 1, 1, 1, 1, 1, 1, 1),
(2, 2, 1, 1, 1, 1, 1, 1),
(3, 3, 1, 1, 1, 1, 1, 1),
(4, 1, 2, 1, 2, 1, 1, 1),
(5, 2, 2, 1, 2, 1, 1, 1),
(6, 3, 2, 1, 2, 1, 1, 1),
(7, 4, 1, 1, 1, 1, 1, 1),
(8, 5, 1, 1, 1, 1, 1, 1),
(9, 6, 1, 1, 1, 1, 1, 1),
(10, 7, 1, 1, 1, 1, 1, 1),
(11, 8, 1, 1, 1, 1, 1, 1),
(12, 9, 1, 1, 1, 1, 1, 1),
(13, 7, 2, 1, 2, 1, 1, 1),
(14, 8, 2, 1, 2, 1, 1, 1),
(15, 9, 2, 1, 2, 1, 1, 1),
(28, 4, 3, 2, 1, 1, 1, 1),
(29, 5, 3, 2, 1, 1, 1, 1),
(30, 6, 3, 2, 1, 1, 1, 1),
(31, 4, 4, 2, 2, 1, 1, 1),
(32, 5, 4, 2, 2, 1, 1, 1),
(33, 6, 4, 2, 2, 1, 1, 1),
(34, 7, 3, 2, 1, 1, 1, 1),
(35, 8, 3, 2, 1, 1, 1, 1),
(36, 9, 3, 2, 1, 1, 1, 1),
(37, 7, 4, 2, 2, 1, 1, 1),
(38, 8, 4, 2, 2, 1, 1, 1),
(39, 9, 4, 2, 2, 1, 1, 1),
(40, 7, 5, 3, 1, 1, 1, 1),
(41, 8, 5, 3, 1, 1, 1, 1),
(42, 9, 5, 3, 1, 1, 1, 1);

Verify that the tables had been populated with data:
- acl_class should contain 3 records.
- acl_sid should contain 3 records.
- acl_object_identity should contain 9 records.
- acl_entry should contain 30 records.

Table Definitions

So far what we've done is create a new database named acl and add four tables:
acl_class
acl_sid
acl_object_identity
acl_entry
But what are these tables exacly?

acl_class
The table acl_class stores the fully qualified name of domain objects. It is made up of the package name and class name of the object.

In the table below we have declared three fully qualified names that pertain to our three domain objects:

FieldDescription
idThe primary key
classThe fully qualified name of the domain object

acl_sid
The table acl_sid stores the name of the users which can be a principal (like usernames john, james, mark) or an authority (like roles ROLE_ADMIN, ROLE USER, ROLE_ANYONE).

In the table below we have declared three sid objects:

FieldDescription
idThe primary key
principalA flag to indicate if the sid field is a username or a role
sidThe actual username (ie. john) or role (ie. ROLE_ADMIN)

acl_object_identity
The table acl_object_identity stores the actual identities of the domain objects. The identities are referenced via a unique id which is retrieved from another database: the Bulletin database.


FieldDescription
idThe primary key
object_id_classRefers to the id field in the acl_class. This is a reference to the fully qualified name of the class
object_id_identityRefers to the primary id of the domain object. The id is assigned from another database: the Bulletin database (See the Bulletin Database below). Every domain object in the application needs to have a unique id.
parent_objectRefers to the id of the parent object if existing
owner_sidRefers to the id field in the acl_sid. This is a reference to the username or role
entries_inheritingA flag to indicate whether the object has inherited entries

acl_entry
The table acl_entry stores the actual permissions assigned for each user and domain object.


FieldDescription
idThe primary key
acl_object_identityRefers to the id field in the acl_object_identity table
ace_orderRefers to the ordering of the access control entries
sidRefers to the id field in the acl_sid table
maskA bitwise mask to indicate the permissions. A value of 1 is equivalent to READ permission, 2 for WRITE, and so forth.
grantingA flag to indicate whether the mask should be interpreted as granting access or deny access
audit_successA flag to indicate whether to audit a successful permission
audit_failureA flag to indicate whether to audit a failed permission

The Bulletin Database

We've finished setting up the ACL database. Now it's time to setup the application's database: the bulletin database.

The bulletin database contains the actual posts from various users. It contains three tables:

Let's create this database. Here are the steps:

1. Run MySQL
Note: I'm using phpmyadmin to manage my MySQL database

2. Create a new database named bulletin

3. Import the following SQL script to create the tables and populate them with data automatically:

bulletin_mysql.sql
-- phpMyAdmin SQL Dump
-- version 3.2.4
-- http://www.phpmyadmin.net
--
-- Host: localhost
-- Generation Time: Jan 23, 2011 at 02:41 PM
-- Server version: 5.1.41
-- PHP Version: 5.3.1

SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO";


/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8 */;

--
-- Database: `bulletin`
--

-- --------------------------------------------------------

--
-- Table structure for table `admin_post`
--

CREATE TABLE IF NOT EXISTS `admin_post` (
  `id` bigint(20) NOT NULL AUTO_INCREMENT,
  `date` datetime NOT NULL,
  `message` varchar(255) NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB  DEFAULT CHARSET=latin1 AUTO_INCREMENT=4 ;

--
-- Dumping data for table `admin_post`
--

INSERT INTO `admin_post` (`id`, `date`, `message`) VALUES
(1, '2011-01-03 21:37:58', 'Custom post #1 from admin'),
(2, '2011-01-04 21:38:39', 'Custom post #2 from admin'),
(3, '2011-01-05 21:39:37', 'Custom post #3 from admin');

-- --------------------------------------------------------

--
-- Table structure for table `personal_post`
--

CREATE TABLE IF NOT EXISTS `personal_post` (
  `id` bigint(20) NOT NULL AUTO_INCREMENT,
  `date` datetime NOT NULL,
  `message` varchar(255) NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB  DEFAULT CHARSET=latin1 AUTO_INCREMENT=4 ;

--
-- Dumping data for table `personal_post`
--

INSERT INTO `personal_post` (`id`, `date`, `message`) VALUES
(1, '2011-01-06 21:40:02', 'Custom post #1 from user'),
(2, '2011-01-07 21:40:13', 'Custom post #2 from user'),
(3, '2011-01-08 21:40:34', 'Custom post #3 from user');

-- --------------------------------------------------------

--
-- Table structure for table `public_post`
--

CREATE TABLE IF NOT EXISTS `public_post` (
  `id` bigint(20) NOT NULL AUTO_INCREMENT,
  `date` datetime NOT NULL,
  `message` varchar(255) NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB  DEFAULT CHARSET=latin1 AUTO_INCREMENT=4 ;

--
-- Dumping data for table `public_post`
--

INSERT INTO `public_post` (`id`, `date`, `message`) VALUES
(1, '2011-01-10 21:40:44', 'Custom post #1 from public'),
(2, '2011-01-11 21:40:48', 'Custom post #2 from public'),
(3, '2011-01-12 21:41:08', 'Custom post #3 from public');

4. After importing the SQL script, verify that you have the following tables and data:

AdminPost

PersonalPost

PublicPost

Reminder

Remember the object_id_identity field from the acl_object_identity table? The value of object_id_identity field is derived from the actual value of the id field in the bulletin database.

Conclusion

We have completed the database setup both for the ACL and the Bulletin database. We've also explained the meaning behind the tables and the corresponding fields. Note we haven't touch anything specific to Spring Security, Spring MVC, or even Java yet. Our next task is to setup the Spring Security configuration.

Proceed to Part 2: Spring Security Configuration
StumpleUpon DiggIt! Del.icio.us Blinklist Yahoo Furl Technorati Simpy Spurl Reddit Google I'm reading: Spring Security 3: Full ACL Tutorial (Part 1) ~ Twitter FaceBook

Subscribe by reader Subscribe by email Share

104 comments:

  1. But when you try to add a message it doesn't show up on the view page and I can see the message been added to the respective table

    ReplyDelete
    Replies
    1. Use a sample class for post method and, use predefined existing object

      Delete
    2. Can please explain further?

      Delete
  2. @Anonymous, if you check part 4 of the tutorial under the Unexpected Problems section, you'll see that issue has been discussed.

    ReplyDelete
  3. Dear
    Do all java classes and domain object tables need to have id field so as to implement acl using above method.cant we have our own primary key?

    ReplyDelete
  4. CREATE TABLE acl.public.acl_class (
    id BIGINT NOT NULL,
    class VARCHAR(255) NOT NULL,
    CONSTRAINT acl_class_pk PRIMARY KEY (id)
    );


    CREATE TABLE acl.public.acl_entry (
    id BIGINT NOT NULL,
    acl_object_identity BIGINT NOT NULL,
    ace_order INTEGER NOT NULL,
    sid BIGINT NOT NULL,
    mask INTEGER NOT NULL,
    granting BIT NOT NULL,
    audit_success BIT NOT NULL,
    audit_failure BIT NOT NULL,
    CONSTRAINT acl_entry_pk PRIMARY KEY (id)
    );


    CREATE TABLE acl.public.acl_object_identity (
    id BIGINT NOT NULL,
    object_id_class BIGINT NOT NULL,
    object_id_identity BIGINT NOT NULL,
    parent_object BIGINT,
    owner_sid BIGINT NOT NULL,
    entries_inheriting BIT NOT NULL,
    CONSTRAINT acl_object_identity_pk PRIMARY KEY (id)
    );


    CREATE TABLE acl.public.acl_sid (
    id BIGINT NOT NULL,
    principal BIT NOT NULL,
    sid VARCHAR(100) NOT NULL,
    CONSTRAINT acl_sid_pk PRIMARY KEY (id)
    );


    ALTER TABLE acl.public.acl_object_identity ADD CONSTRAINT foreign_fk_2
    FOREIGN KEY (object_id_class)
    REFERENCES acl.public.acl_class (id)
    ON DELETE NO ACTION
    ON UPDATE NO ACTION
    NOT DEFERRABLE;

    ALTER TABLE acl.public.acl_entry ADD CONSTRAINT foreign_fk_4
    FOREIGN KEY (acl_object_identity)
    REFERENCES acl.public.acl_object_identity (id)
    ON DELETE NO ACTION
    ON UPDATE NO ACTION
    NOT DEFERRABLE;

    ALTER TABLE acl.public.acl_entry ADD CONSTRAINT foreign_fk_5
    FOREIGN KEY (sid)
    REFERENCES acl.public.acl_sid (id)
    ON DELETE NO ACTION
    ON UPDATE NO ACTION
    NOT DEFERRABLE;

    ALTER TABLE acl.public.acl_object_identity ADD CONSTRAINT foreign_fk_3
    FOREIGN KEY (owner_sid)
    REFERENCES acl.public.acl_sid (id)
    ON DELETE NO ACTION
    ON UPDATE NO ACTION
    NOT DEFERRABLE;


    for postgres

    ReplyDelete
    Replies
    1. INSERT INTO acl_sid (id, principal, sid) VALUES
      (1, '1', 'john'),
      (2, '1', 'jane'),
      (3, '1', 'mike');

      --
      -- Dumping data for table acl_class
      --

      INSERT INTO acl_class (id, class) VALUES
      (1, 'org.krams.tutorial.domain.AdminPost'),
      (2, 'org.krams.tutorial.domain.PersonalPost'),
      (3, 'org.krams.tutorial.domain.PublicPost');

      --
      -- Dumping data for table acl_object_identity
      --

      INSERT INTO acl_object_identity (id, object_id_class, object_id_identity, parent_object, owner_sid, entries_inheriting) VALUES
      (1, 1, 1, NULL, 1, '0'),
      (2, 1, 2, NULL, 1, '0'),
      (3, 1, 3, NULL, 1, '0'),
      (4, 2, 1, NULL, 1, '0'),
      (5, 2, 2, NULL, 1, '0'),
      (6, 2, 3, NULL, 1, '0'),
      (7, 3, 1, NULL, 1, '0'),
      (8, 3, 2, NULL, 1, '0'),
      (9, 3, 3, NULL, 1, '0');

      --
      -- Dumping data for table acl_entry
      --

      INSERT INTO acl_entry (id, acl_object_identity, ace_order, sid, mask, granting, audit_success, audit_failure) VALUES
      (1, 1, 1, 1, 1, '1', '1', '1'),
      (2, 2, 1, 1, 1, '1', '1', '1'),
      (3, 3, 1, 1, 1, '1', '1', '1'),
      (4, 1, 2, 1, 2, '1', '1', '1'),
      (5, 2, 2, 1, 2, '1', '1', '1'),
      (6, 3, 2, 1, 2, '1', '1', '1'),
      (7, 4, 1, 1, 1, '1', '1', '1'),
      (8, 5, 1, 1, 1, '1', '1', '1'),
      (9, 6, 1, 1, 1, '1', '1', '1'),
      (10, 7, 1, 1, 1, '1', '1', '1'),
      (11, 8, 1, 1, 1, '1', '1', '1'),
      (12, 9, 1, 1, 1, '1', '1', '1'),
      (13, 7, 2, 1, 2, '1', '1', '1'),
      (14, 8, 2, 1, 2, '1', '1', '1'),
      (15, 9, 2, 1, 2, '1', '1', '1'),
      (28, 4, 3, 2, 1, '1', '1', '1'),
      (29, 5, 3, 2, 1, '1', '1', '1'),
      (30, 6, 3, 2, 1, '1', '1', '1'),
      (31, 4, 4, 2, 2, '1', '1', '1'),
      (32, 5, 4, 2, 2, '1', '1', '1'),
      (33, 6, 4, 2, 2, '1', '1', '1'),
      (34, 7, 3, 2, 1, '1', '1', '1'),
      (35, 8, 3, 2, 1, '1', '1', '1'),
      (36, 9, 3, 2, 1, '1', '1', '1'),
      (37, 7, 4, 2, 2, '1', '1', '1'),
      (38, 8, 4, 2, 2, '1', '1', '1'),
      (39, 9, 4, 2, 2, '1', '1', '1'),
      (40, 7, 5, 3, 1, '1', '1', '1'),
      (41, 8, 5, 3, 1, '1', '1', '1'),
      (42, 9, 5, 3, 1, '1', '1', '1');

      Delete
    2. I think if you look at the Spring Security jars, you will find the schema for Postgres as well (including schemas for other databases). Anyway, thank you for sharing this one. I'm sure it will help others reading this guide.

      Delete
  5. i would wish to associate number of users to a role/authority and then assign the permissions to him. how do you relate a user in the sid table with an authority in same table.
    or can we combine the RBAC and ACL ?? if so, is there any tutorial that use ACL complementing RBAC. pls correct if my understanding is false...

    ReplyDelete
  6. Can you explain about 'acl_class'. Whats the actual requiremnt for that. IF i have 200 Controller then i have to create 200 entries?. Make me more understandable.

    ReplyDelete
  7. Hi, Thanks for your great post, there are much nice information that I am sure a huge number of guys and gals don’t know.

    RFID Access Control System

    ReplyDelete
  8. For anyone that finds this, Spring Security now has the create schema SQL for more DBs including: HSQLDB, MySQL, Oracle, PostgreSQL and SQL Server. To find the files, see below:

    https://github.com/spring-projects/spring-security/tree/master/acl/src/main/resources

    ReplyDelete
  9. Hi

    Nice article, how to use spring security acl in spring boot ?

    ReplyDelete
  10. I have read your blog its very attractive and impressive. I like it your blog.

    Spring online training Spring online training Spring Hibernate online training Spring Hibernate online training Java online training

    spring training in chennai spring hibernate training in chennai

    ReplyDelete
  11. The blog is very nice and good content . Thanks for sharing!!!

    Home Camera Security

    ReplyDelete
  12. Really fantastic blog and article... thanks for sharing your views and information..

    Java Training in Chennai

    ReplyDelete
  13. @krams can you be more specific about ACE order

    ReplyDelete
  14. This tutorial is very good but how can we add data in ACL table without dbscript

    ReplyDelete
  15. file access control

    Add file access control and file IOs monitor to your windows application with Windows file system mini filter driver component in C#, C++ demo source code to implement your file security solution

    http://easefilter.com/

    ReplyDelete
  16. This is most informative and also this post most user friendly and super navigation to all posts... Thank you so much for giving this information to me.. 
    Best Devops training in sholinganallur
    Devops training in velachery
    Devops training in annanagar
    Devops training in tambaram

    ReplyDelete
  17. Great Article… I love to read your articles because your writing style is too good,
    its is very very helpful for all of us and I never get bored while reading your article because,
    they are becomes a more and more interesting from the starting lines until the end.


    Java training in Chennai

    Java training in Bangalore

    Java online training

    Java training in Pune

    ReplyDelete
  18. Attend The Python training in bangalore From ExcelR. Practical Python training in bangalore Sessions With Assured Placement Support From Experienced Faculty. ExcelR Offers The Python training in bangalore.
    python training in bangalore

    ReplyDelete
  19. Thankyou so much for the precious information you have given to us
    <a href="httsp=www.1marshal.com>Key management system in india</a>

    ReplyDelete
  20. For AWS training in Bangalore, Visit:
    AWS training in Bangalore

    ReplyDelete
  21. This is the exact information I am been searching for, Thanks for sharing the required infos with the clear update and required points. To appreciate this I like to share some useful information.python training in bangalore

    ReplyDelete
  22. Congratulations This is the great things. Thanks to giving the time to share such a nice information.best Mulesoft training in bangalore

    ReplyDelete
  23. Right here is the right web site for anyone who wishes to understand this topic. You understand so much its almost hard to argue with you (not that I actually would want to…HaHa). You definitely put a fresh spin on a topic that's been written about for decades. Wonderful stuff, just excellent! onsite mobile repair bangalore Aw, this was an incredibly good post. Spending some time and actual effort to produce a very good article… but what can I say… I procrastinate a whole lot and don't manage to get nearly anything done. asus display repair bangalore I’m amazed, I must say. Rarely do I encounter a blog that’s both equally educative and entertaining, and let me tell you, you've hit the nail on the head. The issue is something that too few folks are speaking intelligently about. I am very happy I came across this during my search for something relating to this. huawei display repair bangalore

    ReplyDelete
  24. Nice post. I learn something new and challenging on websites I stumbleupon on a daily basis. It will always be exciting to read content from other authors and practice something from their web sites. online laptop repair center bangalore I blog often and I genuinely thank you for your content. This article has really peaked my interest. I'm going to take a note of your site and keep checking for new information about once a week. I opted in for your RSS feed as well. dell repair center bangalore

    ReplyDelete
  25. Pretty! This was a really wonderful article. Thanks for providing these details. macbook repair center bangalore Greetings! Very useful advice in this particular post! It's the little changes that will make the most important changes. Many thanks for sharing! acer repair center bangalore

    ReplyDelete
  26. Thanks for sharing it.I got Very valuable information from your blog.your post is really very Informative.I’m satisfied with the information that you provide for me.Nice post. By reading your blog, i get inspired and this provides some useful information.One of the best blogs that I have read till now.

    amazon web services (aws) training in pune india

    ReplyDelete
  27. I am really enjoying reading your well written articles. It looks like you spend a lot of effort and time on your blog. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work.
    data analytics courses

    data science interview questions

    business analytics course

    data science course in mumbai

    ReplyDelete
  28. I like the helpful info you provide in your articles. I’ll bookmark your weblog and check again here regularly. I am quite sure I will learn much new stuff right here! Good luck for the next!
    Regards : Best Software Testing Course in Pune with 100% Placement

    ReplyDelete
  29. Thank you for this informative blog...
    AWS Training in Bangalore | AWS Cours | AWS Training Institutes - RIA Institute of Technology
    - Best AWS Training in Bangalore, Learn from best AWS Training Institutes in Bangalore with certified experts & get 100% assistance.

    ReplyDelete
  30. This concept is a good way to enhance the knowledge.thanks for sharing.. Great article ...Thanks for your great information, the contents are quiet interesting.
    SQL Azure Online Training
    Azure SQL Training
    SQL Azure Training

    ReplyDelete
  31. Poker online situs terbaik yang kini dapat dimainkan seperti Bandar Poker yang menyediakan beberapa situs lainnya seperti http://62.171.128.49/hondaqq/ , kemudian http://62.171.128.49/gesitqq/, http://62.171.128.49/gelangqq/, dan http://62.171.128.49/seniqq. yang paling akhir yaitu http://62.171.128.49/pokerwalet/. Jangan lupa mendaftar di panenqq silakan dicoba bosku serta salam hoki

    ReplyDelete
  32. Who we are
    Nuevas is a company specializing in easy-to-use, practical wireless solutions for the protection and management of people, fleets of vehicles, containers and assets. Our main focus is on

    "What are our products?Nuevas is a company specializing in easy-to-use, practical wireless solutions for the protection and management of people, fleets of vehicles, containers and assets. Our main focus is on

    "
    "GPS tracking devicesGPS Vehicle Tracking System
    Comprehensive GPS Vehicle Tracking System Straight From Our Leading Team
    At present, safety is your first-hand priority. Unless you are properly covered, keeping a single foot out of your home is hazardous to your health. That’s when you have to call up for our GPS vehicle tracking system from Nuevas Technologies Pvt. Ltd. "
    "Vehicle tracking system functions on mentioned technologyFAQ's
    1. How does GPS work?
    Read more.......
    "
    "Maximizing Performance from vehicles and service representatives of our clients.Vehical tracking service Provider in Pune- India
    Keep In Touch With Your Vehicle Through Our Well-Trained Service Providers
    Read more"
    Vehicle Tracking System Manufacturer in Pune-India We are living in the era of information technology. Everything is available on single click done with your fingertip. Meanwhile, Logistic Systems have also undergone revolutionary improvements and became modern by implementing technological advancements in the 21st century. GPS i.e., Global Positioning System is gaining more significance than ever. GPS in Logistics is generally termed as Vehicle Tracking System. Let’s have a quick look on some of the key points, why this system is important in Logistics?Read more.....
    GPS vehicle tracking system dealer in Pune-India
    "RFID Tracking Devices
    "

    "Thanks for sharing such a wonderful article as i waiting for such article
    Keep on sharing the good content.Welcome to the Ozanera Products and Services Portal.Over the years we’ve seen doctors and hospitals really struggle to find reliable hospital products and services fast.
    Thank you."

    "Hospital Products
    Welcome To Our Services
    Ozanera is an initiative born out of our experience with two critical aspect of running hospitals that we realized needed a major overhaul. One is how hospitals source products and services.
    Thank you."

    "What makes us special
    In our decades of experience serving the hospital industry we realized there was a yawning gap between the talent requirements of the healthcare industry and what the industry had access to. "

    ReplyDelete
  33. Other content online cannot measure up to the work you have put out here. Your insight on this subject has convinced me of many of the points you have expressed. This is great unique writing.

    SEO services in kolkata
    Best SEO services in kolkata
    SEO company in kolkata
    Best SEO company in kolkata
    Top SEO company in kolkata
    Top SEO services in kolkata
    SEO services in India
    SEO copmany in India

    ReplyDelete
  34. If all the writers who pen down articles would give a thought to write topic specific articles like you, then more number of readers would read their content. It is really revitalizing to find such pure and unique content in an otherwise world where most of the articles are copied.
    SAP training in Kolkata
    SAP course in kolkata

    ReplyDelete
  35. It is truly an honour to run across informational content like the one you have written. You are evidently knowledgeable on this written topic and you have unique views to share.
    SAP training in Mumbai
    SAP course in Mumbai

    ReplyDelete
  36. This comment has been removed by the author.

    ReplyDelete
  37. It's truly an honor to run across informational content like this. You are clearly knowledgeable on this topic and you have unique views to share.


    Data Privacy Service in UK

    ReplyDelete
  38. I've been looking for info on this topic for a while. I'm happy this one is so great. Keep up the excellent work ExcelR Data Analytics Courses

    ReplyDelete
  39. ExcelR provides Data Analytics courses. It is a great platform for those who want to learn and become a Data Analytics course. Students are tutored by professionals who have a degree in a particular topic. It is a great opportunity to learn and grow.


    Data Analytics courses

    ReplyDelete
  40. I am genuinely thankful to the holder of this web page who has shared this wonderful paragraph at at this place. ExcelR Data Analyst Course

    ReplyDelete
  41. Thanks, I saw a lot of websites but I think this one has something special in it. This Blog gives me a lot of information. So nice!
    Data Science Training in Hyderabad
    Data Science Course in Hyderabad

    ReplyDelete
  42. I have read your Excellent Post. This is Great Job. I have enjoyed you reading your post first time. I want to say thanks for this post... Thank You so much...
    AWS Training in Hyderabad
    AWS Course in Hyderabad

    ReplyDelete
  43. Wonderful illustrated information. I thank you for that. No doubt it will be very useful for my future projects. Would like to see some other posts on the same subject!
    data scientist training in hyderabad

    ReplyDelete
  44. I've been looking for info on this topic for a while. I'm happy this one is so great. Keep up the excellent work business analytics course in surat

    ReplyDelete
  45. Hey, great blog, but I don’t understand how to add your site in my rss reader. Can you Help me please? data science course in kanpur

    ReplyDelete
  46. I think this is a really good article. You make this information interesting and engaging. You give readers a lot to think about and I appreciate that kind of writing. data science course in mysore

    ReplyDelete
  47. I just got to this amazing site not long ago. I was actually captured with the piece of resources you have got here. Big thumbs up for making such wonderful blog page! business analytics course in mysore

    ReplyDelete
  48. Hi buddies, it is a great written piece entirely defined, continuing the good work constantly.
    data science online training in hyderabad

    ReplyDelete
  49. Best AWS Training provided by Vepsun in Bangalore for the last 12 years. Our Trainer has more than 20+ Years
    of IT Experience in teaching Virtualization and Cloud topics.. we are very delighted to say that Vepsun is
    the Top AWS cloud training Provider in Bangalore. We provide the best atmosphere for our students to learn.
    Our Trainers have great experience and are highly skilled in IT Professionals. AWS is an evolving cloud
    computing platform provided by Amazon with a combination of IT services. It includes a mixture of
    infrastructure as service and packaged software as service offerings and also automation. We have trained
    more than 10000 students in AWS cloud and our trainer Sameer has been awarded as the best Citrix and Cloud
    trainer in India.

    ReplyDelete
  50. This post is a comprehensive guide to setting up Spring Security with ACL for securing domain objects. The detailed steps for creating MySQL databases, tables, and data are incredibly helpful. It provides clear explanations, making it easy to follow. Looking forward to the next parts of this tutorial!
    Data Analytics Courses in Nashik

    ReplyDelete
  51. This article appears to be part of a Spring Security series, offering a comprehensive tutorial on Access Control Lists (ACL) in Spring Security. Likely a valuable resource for developers working on securing their Spring-based applications.

    Data Analytics Courses In Kochi



    ReplyDelete
  52. This article is a thorough tutorial for configuring Spring Security with ACL to secure domain objects. The thorough instructions for building MySQL databases, tables, and data are really beneficial. It is simple to understand and follows along with excellent explanations. Looking forward to the remaining tutorial sections!
    Data Analytics Courses in Agra

    ReplyDelete
  53. This post is to say a full ACL tutorial that is incredibly valuable for anyone looking to understand and implement robust security measures for their systems or networks. Thank you for sharing.
    Data Analytics Courses In Chennai

    ReplyDelete
  54. Thank you to the author for sharing this educational content, which undoubtedly contributes to improved understanding and security practices in the IT field. I liked it.
    Data Analytics Courses In Chennai

    ReplyDelete
  55. nice blog
    Data Analytics Courses In Vadodara

    ReplyDelete
  56. Thank you so much for providing a full ACL tutorial on spring security. I really loved it.
    Visit - Data Analytics Courses in Delhi

    ReplyDelete
  57. This tutorial is a comprehensive guide to understanding Spring Security 3 and implementing full ACL.
    Data analytics courses in new Jersey

    ReplyDelete
  58. ACL, or Access Control List, is a crucial security measure that defines permissions and restrictions for users or systems accessing resources on a network or within a computer system. It plays a vital role in safeguarding data and maintaining privacy.

    In the field of data analytics, Glasgow offers an array of Data Analytics courses that provide the expertise needed to work with and extract valuable insights from data. Please also read Data Analytics courses in Glasgow.

    ReplyDelete
  59. Your step-by-step approach and the way you've broken down complex ACL concepts into manageable pieces make it accessible for developers at all levels.
    Digital marketing courses in illinois

    ReplyDelete
  60. Useful post Thanks for sharing it that truly valuable knowledge about similar topic. Tableau training in pune

    ReplyDelete
  61. The blog post is incredible tutorial on how to develop Bulletin application. Thanks for sharing valuable post.
    data analyst courses in limerick

    ReplyDelete
  62. Thank you for providing excellent and insightful tutorial on Bulletin application where various users can create, add, edit, and delete posts depending on their access levels.
    Digital Marketing Courses In Bhutan

    ReplyDelete
  63. An exceptionally detailed and well-structured tutorial on implementing ACL with Spring Security. Clear explanations and valuable insights. Impressive work

    Digital marketing tips for small businesses

    ReplyDelete
  64. Great blog post on creating a Bulletin application. The step-by-step instructions were easy to understand and follow. Thanks for a great share.

    Investment banking analyst jobs

    ReplyDelete
  65. Wow, thanks a bunch for such an exhaustive tutorial. The code and diagrams were super helpful too. Thanks for sharing.

    Investment banking analyst jobs

    ReplyDelete
  66. I appreciate the clear explanations of the concepts involved in Spring Security 3 Full ACL. The code examples are well-documented and help to the theoretical and practical application. keep posting.
    Digital marketing courses in city of Westminster

    ReplyDelete
  67. Well written article. Thanks for explaining the solution of complex problem in a step by step manner.
    Investment banking courses after 12th

    ReplyDelete