Sunday, January 30, 2011

Spring Security 3: Full ACL Tutorial (Part 2)

In Part 1 of this tutorial we've completed setting up the ACL and Bulletin databases. In Part 2 we'll be building the Bulletin application with Spring Security and Spring MVC.

Part 1: Functional Specs and the Application Database
Part 2: Spring Security Configuration
Part 3: Spring MVC Module
Part 4: Running the Application

Part 2: Spring Security

Most of the development with Spring Security are composed of configuration files. We'll be declaring two configuration files:
1. spring-security.xml
2. acl-context.xml

spring-security.xml
This contains standard Spring Security configuration. It declares the following:
1. A set of intercept-url patterns.
2. An authentication manager
3. An Md5 password encoder
4. An in-memory user service

For an in-depth description of this file, please see the Spring Security 3 - MVC: Using a Simple User-Service Tutorial

acl-context.xml
This contains ACL-related configuration. It declares the following:
1. A global-method-security tag which enables method security expressions
2. An expression handler
3. A permission evaluator
4. An ACL service
5. A lookup strategy
6. A datasource
7. An ACL cache
8. An ACL authorization strategy
9. A role hierarchy

Here are the configuration files:

spring-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xmlns:security="http://www.springframework.org/schema/security"
 xsi:schemaLocation="http://www.springframework.org/schema/beans 
      http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
   http://www.springframework.org/schema/security 
   http://www.springframework.org/schema/security/spring-security-3.0.xsd">
 
 <!-- Loads ACL related configurations -->
 <import resource="acl-context.xml" />
 
 <!-- This is where we configure Spring-Security  -->
 <security:http auto-config="true" use-expressions="true" access-denied-page="/krams/auth/denied" >
 
  <security:intercept-url pattern="/krams/auth/login" access="permitAll"/>
  <security:intercept-url pattern="/krams/bulletin/view" access="hasRole('ROLE_VISITOR')"/>
  <security:intercept-url pattern="/krams/role/admin" access="hasRole('ROLE_ADMIN')"/>
  <security:intercept-url pattern="/krams/role/user" access="hasRole('ROLE_USER')"/>
  <security:intercept-url pattern="/krams/role/visitor" access="hasRole('ROLE_VISITOR')"/>
  
  <security:form-login
    login-page="/krams/auth/login" 
    authentication-failure-url="/krams/auth/login?error=true" 
    default-target-url="/krams/bulletin/view"/>
   
  <security:logout 
    invalidate-session="true" 
    logout-success-url="/krams/auth/login" 
    logout-url="/krams/auth/logout"/>
 
 </security:http>
 
 <!-- Declare an authentication-manager to use a custom userDetailsService -->
 <security:authentication-manager>
         <security:authentication-provider user-service-ref="userDetailsService">
           <security:password-encoder ref="passwordEncoder"/>
         </security:authentication-provider>
 </security:authentication-manager>
 
 <!-- Use a Md5 encoder since the user's passwords are stored as Md5 in the database -->
 <bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" id="passwordEncoder"/>

  <!-- An in-memory list of users. No need to access an external database layer.
      See Spring Security 3.1 Reference 5.2.1 In-Memory Authentication -->
  <!-- john's password: admin
    jane's password: user
    mike's password: visitor  -->
  <security:user-service id="userDetailsService">
     <security:user name="john" password="21232f297a57a5a743894a0e4a801fc3" authorities="ROLE_ADMIN, ROLE_USER, ROLE_VISITOR" />
     <security:user name="jane" password="ee11cbb19052e40b07aac0ca060c23ee" authorities="ROLE_USER, ROLE_VISITOR" />
     <security:user name="mike" password="127870930d65c57ee65fcc47f2170d38" authorities="ROLE_VISITOR" />
   </security:user-service>
 
</beans>

acl-context.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xmlns:security="http://www.springframework.org/schema/security"
 xmlns:p="http://www.springframework.org/schema/p"
 xmlns:jdbc="http://www.springframework.org/schema/jdbc" 
 xsi:schemaLocation="http://www.springframework.org/schema/beans 
      http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
   http://www.springframework.org/schema/security 
   http://www.springframework.org/schema/security/spring-security-3.0.xsd
   http://www.springframework.org/schema/jdbc 
   http://www.springframework.org/schema/jdbc/spring-jdbc-3.0.xsd">

 <!-- Enables Method Security and Expression-based access control -->
 <security:global-method-security pre-post-annotations="enabled">
  <!-- Enables custom expression handler -->
  <security:expression-handler ref="expressionHandler" />
 </security:global-method-security>

 <!-- See 15.3.2 Built-In Expression @http://static.springsource.org/spring-security/site/docs/3.0.x/reference/el-access.html#el-permission-evaluator -->
 <bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
  <!-- To use hasPermission() in expressions, configure a PermissionEvaluator -->
  <property name="permissionEvaluator" ref="permissionEvaluator" />
  <property name = "roleHierarchy" ref="roleHierarchy"/>
 </bean>
 
 <!-- Declare a custom PermissionEvaluator
  We'll rely on the standard AclPermissionEvaluator implementation -->
 <bean class="org.springframework.security.acls.AclPermissionEvaluator" id="permissionEvaluator">
  <constructor-arg ref="aclService"/>
 </bean>

 <!-- Declare an acl service -->
 <bean class="org.springframework.security.acls.jdbc.JdbcMutableAclService" id="aclService">
  <constructor-arg ref="dataSource"/>
        <constructor-arg ref="lookupStrategy"/>
        <constructor-arg ref="aclCache"/>
 </bean>
 
 <!-- Declare a lookup strategy-->
 <bean id="lookupStrategy" class="org.springframework.security.acls.jdbc.BasicLookupStrategy">
        <constructor-arg ref="dataSource"/>
        <constructor-arg ref="aclCache"/>
        <constructor-arg ref="aclAuthorizationStrategy"/>
        <constructor-arg ref="auditLogger"/>
    </bean>
    
    <!-- Declare a datasource -->
    <bean id="dataSource" class="com.mchange.v2.c3p0.ComboPooledDataSource"
   destroy-method="close"
   p:driverClass="com.mysql.jdbc.Driver"
   p:jdbcUrl="jdbc:mysql://localhost/acl"
   p:user="root"
   p:password=""
   p:acquireIncrement="5"
   p:idleConnectionTestPeriod="60"
   p:maxPoolSize="100"
   p:maxStatements="50"
   p:minPoolSize="10" />

    <!-- Declare an acl cache-->   
   <bean id="aclCache" class="org.springframework.security.acls.domain.EhCacheBasedAclCache">
        <constructor-arg>
            <bean class="org.springframework.cache.ehcache.EhCacheFactoryBean">
                <property name="cacheManager">
                    <bean class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/>
                </property>
                <property name="cacheName" value="aclCache"/>
            </bean>
        </constructor-arg>
    </bean>

 <!-- Declare an acl authorization strategy-->
    <bean id="aclAuthorizationStrategy" class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl">
        <constructor-arg>
            <list>
                <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
                    <constructor-arg value="ROLE_ADMIN"/>
                </bean>
                <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
                    <constructor-arg value="ROLE_ADMIN"/>
                </bean>
                <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
                    <constructor-arg value="ROLE_ADMIN"/>
                </bean>
            </list>
        </constructor-arg>
    </bean>
 
  <!-- Declare an audit logger-->
    <bean id="auditLogger" class="org.springframework.security.acls.domain.ConsoleAuditLogger"/>
    
  <!-- http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/access/hierarchicalroles/RoleHierarchyImpl.html -->
 <bean id="roleHierarchy"  class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
     <property name="hierarchy">
         <value>
             ROLE_ADMIN > ROLE_USER
             ROLE_USER > ROLE_VISITOR
         </value>
     </property>
 </bean>
</beans>

In-Depth Look of acl-context.xml

Let's take an in-depth look of the acl-context.xml file.

The Method Security

<security:global-method-security pre-post-annotations="enabled">
  <security:expression-handler ref="expressionHandler" />
 </security:global-method-security>
The global-method-security enables method security annotations. There are three types of method security annotations available in Spring Security (See Spring Security Reference 2.4 Method Security)
1. @Secured annotation
2. JSR-250 annotation
3. Expression-based access control

By adding the pre-post-annotations attribute, we've activated the Expression-based access control. If you need to learn how to setup a simple application using the Expression-based access control, please see Spring Security 3 - MVC: Using Native Expression-Based Annotation Tutorial

The Expression Handler

The expression-handler property defines a custom expression handler instance. Without this property Spring Security will declare a default expression handler with no ACL support. We need to declare a custom handler because we need ACL support. It turns out Spring provides a default implementation that we can customize so that we don't have to create one from scratch.

<bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
  <property name="permissionEvaluator" ref="permissionEvaluator" />
  <property name = "roleHierarchy" ref="roleHierarchy"/>
 </bean>
Here we declared a reference to a customized expression handler: DefaultMethodSecurityExpressionHandler. This is actually the default expression handler but it needs to be declared manually so that we can provide a customized permission evaluator.

The permissionEvaluator property defines a reference to a custom permission evaluator, while the roleHierarchy allows us to define the hierarchy of our roles.

The Role Hierarchy

<bean id="roleHierarchy"  class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
     <property name="hierarchy">
         <value>
             ROLE_ADMIN > ROLE_USER
             ROLE_USER > ROLE_VISITOR
         </value>
     </property>
 </bean>
</beans>
Role hierarchy is a way of declaring which role is the boss of other roles. In our sample configuration ROLE_ADMIN > ROLE USER, means whenever a user has a ROLE_ADMIN, he also gets
the ROLE_USER. And because we declared ROLE_USER > ROLE_VISITOR, he also gets the ROLE_VISITOR.

The ACL Permission Evaluator

<bean class="org.springframework.security.acls.AclPermissionEvaluator" id="permissionEvaluator">
  <constructor-arg ref="aclService"/>
 </bean>
What is AclPermissionEvaluator?
Used by Spring Security's expression-based access control implementation to evaluate permissions for a particular object using the ACL module. Similar in behaviour to AclEntryVoter.

Source: Spring Security 3 API AclPermissionEvaluator
AclPermissionEvaluator is the default implementation for evaluating ACLs with expression-based access control but it's not enabled by default. It needs to be declared manually and it needs to be customized.

The <constructor-arg ref="aclService"/> is a reference to a custom ACL service. Basically this is the service that will access the ACL database.

The ACL Service

<bean class="org.springframework.security.acls.jdbc.JdbcMutableAclService" id="aclService">
  <constructor-arg ref="dataSource"/>
        <constructor-arg ref="lookupStrategy"/>
        <constructor-arg ref="aclCache"/>
 </bean>
What is JdbcMutableAclService?
Provides a base JDBC implementation of MutableAclService.

The default settings are for HSQLDB. If you are using a different database you will probably need to set the sidIdentityQuery and classIdentityQuery properties appropriately. The other queries, SQL inserts and updates can also be customized to accomodate schema variations, but must produce results consistent with those expected by the defaults.

Source: Spring Security 3 API JdbcMutableAclService
The JdbcMutableAclService is a JDBC-based ACL service. It uses JdbcTemplate to simplify JDBC access. Remember in Part 1 of this tutorial we declared a custom MySQL ACL schema. That's because by default the JdbcMutableAclService uses HSQLDB. In fact, if you examine the Spring Security ACL package, you'll find that there are two schemas available: an HSQLDB schema and PostgreSQL schema. See the screenshot below:


The <constructor-arg ref="dataSource"/> is a reference to a datasource, in our case, a MySQL datasource.

The <constructor-arg ref="lookupStrategy"/> is a reference to a lookup strategy. Its purpose is to provide an optimized lookup when querying the database.

The <constructor-arg ref="aclCache"/> is a reference to an ACL cache. Its purpose is to lessen database access by checking first if the ACL entry is already available in the cache.

The Datasource

<bean id="dataSource" class="com.mchange.v2.c3p0.ComboPooledDataSource"
   destroy-method="close"
   p:driverClass="com.mysql.jdbc.Driver"
   p:jdbcUrl="jdbc:mysql://localhost/acl"
   p:user="root"
   p:password=""
   p:acquireIncrement="5"
   p:idleConnectionTestPeriod="60"
   p:maxPoolSize="100"
   p:maxStatements="50"
   p:minPoolSize="10" />
This is a standard MySQL datasource that uses a C3P0 connection pool. The jdbcUrl property points to the acl database.

What is Pooling?
In software engineering, a connection pool is a cache of database connections maintained so that the connections can be reused when future requests to the database are required. Connection pools are used to enhance the performance of executing commands on a database. Opening and maintaining a database connection for each user, especially requests made to a dynamic database-driven website application, is costly and wastes resources. In connection pooling, after a connection is created, it is placed in the pool and it is used over again so that a new connection does not have to be established.

Source: http://en.wikipedia.org/wiki/Connection_pool

For more info on configuring C3P0, you can check this reference from JBoss: HowTo configure the C3P0 connection pool.

The Lookup Strategy

<bean id="lookupStrategy" class="org.springframework.security.acls.jdbc.BasicLookupStrategy">
        <constructor-arg ref="dataSource"/>
        <constructor-arg ref="aclCache"/>
        <constructor-arg ref="aclAuthorizationStrategy"/>
        <constructor-arg ref="auditLogger"/>
    </bean>
Here we declare Spring Security's default implementation of a lookup strategy BasicLookupStrategy. As mentioned earlier, the purpose of a lookup strategy is to provide an optimized lookup when querying the database.

Here's an in-depth description of BasicLookupStrategy:
Performs lookups in a manner that is compatible with ANSI SQL.

This implementation does attempt to provide reasonably optimised lookups - within the constraints of a normalised database and standard ANSI SQL features. If you are willing to sacrifice either of these constraints (e.g. use a particular database feature such as hierarchical queries or materalized views, or reduce normalisation) you are likely to achieve better performance. In such situations you will need to provide your own custom LookupStrategy. This class does not support subclassing, as it is likely to change in future releases and therefore subclassing is unsupported.

Source: Spring Security 3 API - BasicLookupStrategy

The <constructor-arg ref="dataSource"/> is a reference to the same MySQL datasource we described earlier.

The <constructor-arg ref="aclCache"/> is a reference to the same ACL cache we described earlier.

The <constructor-arg ref="aclAuthorizationStrategy"/> is a reference to an AclAuthorizationStrategy implementation.

What is AclAuthorizationStrategy?
Strategy used by AclImpl to determine whether a principal is permitted to call adminstrative methods on the AclImpl.

Source: Spring Security 3 API - AclAuthorizationStrategy

The <constructor-arg ref="auditLogger"/> is a reference to an AuditLogger implementation.

<bean id="auditLogger" class="org.springframework.security.acls.domain.ConsoleAuditLogger"/>
What is AuditLogger?
Used by AclImpl to log audit events.

Source: Spring Security 3 API - AuditLogger

The ACL Cache

<bean id="aclCache" class="org.springframework.security.acls.domain.EhCacheBasedAclCache">
        <constructor-arg>
            <bean class="org.springframework.cache.ehcache.EhCacheFactoryBean">
                <property name="cacheManager">
                    <bean class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/>
                </property>
                <property name="cacheName" value="aclCache"/>
            </bean>
        </constructor-arg>
    </bean>
Here we declare Spring Security's default implementation of AclCache interface. It's purpose is to lessen database lookups.

What is EhCacheBasedAclCache?
Simple implementation of AclCache that delegates to EH-CACHE.

Designed to handle the transient fields in AclImpl. Note that this implementation assumes all AclImpl instances share the same AuditLogger and AclAuthorizationStrategy instance.

Source: Spring Security 3 API - EhCacheBasedAclCache

What is EhCache?
Ehcache is an open source, standards-based cache used to boost performance, offload the database and simplify scalability. Ehcache is robust, proven and full-featured, which has made it the most popular Java-based cache with 100,000’s of production deployments.

Source: EhCache.org

The EhCacheBasedAclCache constructor accepts an instance of an EHCache instance. The EhCacheFactoryBean is responsible for crating this instance.

The ACL Authorization Strategy

<bean id="aclAuthorizationStrategy" class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl">
        <constructor-arg>
            <list>
                <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
                    <constructor-arg value="ROLE_ADMIN"/>
                </bean>
                <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
                    <constructor-arg value="ROLE_ADMIN"/>
                </bean>
                <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
                    <constructor-arg value="ROLE_ADMIN"/>
                </bean>
            </list>
        </constructor-arg>
    </bean>
AclAuthorizationStrategyImpl is the default implementation of AclAuthorizationStrategy. Notice the constructor accepts three arguments. Based on the Spring Security API, constructor signature is as follows:

public AclAuthorizationStrategyImpl(GrantedAuthority[] auths)
And here's what auths represent:
auths - an array of GrantedAuthoritys that have special permissions (index 0 is the authority needed to change ownership, index 1 is the authority needed to modify auditing details, index 2 is the authority needed to change other ACL and ACE details)

Source: Spring Security 3 API - AclAuthorizationStrategyImpl

Conclusion

We have completed the standard Spring Security configuration, including the ACL-related beans. We've also described in detail the purpose and meaning behind the configuration. Our next task is to setup the Spring MVC module.

Proceed to Part 3: Spring MVC Module
StumpleUpon DiggIt! Del.icio.us Blinklist Yahoo Furl Technorati Simpy Spurl Reddit Google I'm reading: Spring Security 3: Full ACL Tutorial (Part 2) ~ Twitter FaceBook

Subscribe by reader Subscribe by email Share

26 comments:

  1. Hi,

    aclAuthorizationStrategy has 3x same ROLE_ADMIN

    and in Part 1> acl entry:
    ace_order element is twice in the list

    Just telling you since the rest of the articles are truly excellent. Really appreciate your very clean articles. They are not as easy to find as others though are imo a lot better written.

    Thanks again and best wishes!

    ReplyDelete
  2. @Dr.Drane, you're welcome. You're correct about your observation. It's supposed to be like that. aclAuthorizationStrategy has three arguments for its constructor. For the ace_order, we need to have two (or more) since the default implementation isn't really a mask comparison.

    ReplyDelete
  3. hi
    this tutorial is very well written.
    where can i find the source code for this example?
    Thanks
    Shankha

    ReplyDelete
  4. @Shankha, the source code is on part 4 of the tutorial.

    ReplyDelete
  5. Hi..

    I am confused with your tutorial..
    You talk about security but why put user and password in spring-security.xml?
    if every time a user increases should also be changed spring-security.xml?

    ReplyDelete
  6. @lazzuadi, that's because you're expecting too much from a tutorial. If you've read the introduction, "In this tutorial we'll develop a simple Bulletin application where various users can create, add, edit, and delete posts depending on their access levels. Our application is a simple CRUD system that utilizes an Access Control List (ACL) to secure domain objects. The corresponding permissions will be retrieved from an external MySQL database.". It's supposed to be simple and a tutorial. Don't expect an enterprise, all-laid out solution for you. Don't expect a hack free application in all tutorials. After all the point is to guide you and help you get started. Even if you put your user and password in a database that doesn't mean you're secured already. In any case that's not the point.

    ReplyDelete
  7. @lazzuadi, also the reason why this tutorial uses an in-memory users is because this is about ACL. If you want a user database access, I have that covered as well, but not in this tutorial. Check my tutorials list and you'll find one. Of course, you won't find any ACL there.

    ReplyDelete
  8. on deploying, I get this exception:
    Failed to convert value of type 'org.springframework.security.acls.domain.AclAuthorizationStrategyImpl' to required type 'org.springframework.security.acls.model.AclCache'

    PLEASE HELP

    ReplyDelete
  9. Thanks for the tutorial, it's been very helpful in trying to understand ACLs. The official Spring Security documentation is really inadequate.

    I don't really understand your reply to Dr. Drane:
    "For the ace_order, we need to have two (or more) since the default implementation isn't really a mask comparison."

    Can you please explain why this is the case? In the Spring documentation, acl_object_identity and ace_order together form a unique constraint. If the ace_order value is always unique for a given object ID, why would additional ace_order fields be needed?

    ReplyDelete
  10. hi
    for a spring mvc application,we are using opensso with ldap configured.
    and in web.xml file, listner class is AmAgentFilter.
    in the application we need role based autherization,so we include the spring role base autherization
    in web.xml file.
    but when we use both listner,authentication is not working,if spring role based autherisation is not used then
    if user know the url,and if he is a low level user he can also access admin's url.

    another problem can a same opensso can be used for two project,(eg :a.war & b.war)
    we are using glassfish 2.1

    role based acess is doing with application-security.xml file ,the user will create dynamically
    role ,but we need to restart domain(glassfish),how can we avoid this restarting.
    i had gone through your tutorial to do the role based accessing application.

    please help me

    ReplyDelete
  11. @DM, thanks for the comment. Actually, it's not that easy to explain. (If my memory serves me right) You'll have to dive deep down in the code and you will realize that the comparison isn't really a mask comparison (at least for this version of Spring Security). Honestly, there are quirks that the Spring documentation hasn't covered, and this is one of those. However, I've just realized Dr. Drane was referring to the table, and that one is a typo. I've just noticed it now. Thanks :)

    ReplyDelete
  12. Thanks karms. The tutorial is very organized and helpful to understand spring security

    ReplyDelete
  13. Firstly, excellent tutorial, the only negative is the width!

    I have one question regarding ACL's. If I have two or more applications all sharing the same ACL information, will they all see the correct values from the cache? Each application will write and read ACL information using the standard API.

    Cheers!

    ReplyDelete
  14. @Anonymous, this is the maximum width that Blogspot's theme designer will allow me to. If the cache is configured to be distributable, both apps should see the correct values. I assume you're referring to cache like EhCache?

    ReplyDelete
  15. Thanks this tutorial is very helpful. If there is another tutorial to show how to add an user acl to the database. It will be very good. I search around web and I can not find an example on it. From the java doc, it seems to be applications can use MutableAclService to add an user acl.

    dave

    ReplyDelete
  16. @Anonymous, right now I have none that demonstrates that. But you should be able to do it easily with MutableAclService. Utilize it just like any other CRUD service in an MVC context.

    ReplyDelete
  17. For maven dependencies, note the version of ehcache is in http://static.springsource.org/spring-security/site/docs/3.1.x/reference/appendix-dependencies.html it is required that version (took me one day) :(

    <dependency>
    <groupId>c3p0</groupId>
    <artifactId>c3p0</artifactId>
    <version>0.9.1.1</version>
    </dependency>
    <dependency>
    <groupId>net.sf.ehcache</groupId>
    <artifactId>ehcache</artifactId>
    <version>1.6.2</version>
    </dependency>

    ReplyDelete
  18. Great article. Thank you so much for sharing. For some reason the official documentation do not provide a step by step guide to setup Domain ACLs, so thanks for making our lives easier.

    ReplyDelete
  19. ldap online training| ldap training| call us+919000444287 ...
    www.21cssindia.com/courses/ldap-online-training-103.html
    LDAP Online Training, LDAP training, LDAP course contents, LDAP , call us: +919000444287,dharani@21cssindia.com.

    ReplyDelete
  20. hi.I need to know.How acl_sid class map with user name and how that work.I mean how get user's permission list.so on.Pls help me

    ReplyDelete
  21. Hello all,

    Some Spring configuration is deprecated for Spring Security 3.2.5

    1) AclAuthorizationStrategyImpl must be declared like this:

    https://gist.github.com/oliverfernandez/f9dca695917bdbc8f0b7

    2) When defining a BasicLookupStrategy, the constructor used here is deprecated. You should use the constructor which takes a PermissionGrantingStrategy instead. Furthermore, this helps in case you want to override the DefaultPermissionGrantingStrategy in order to implement a bit-wise permission evaluation (as exposed in the part 4 of this tutorial)

    https://gist.github.com/oliverfernandez/62df0491d61fb5a6327b

    I hope this can help

    ReplyDelete
  22. hi,
    i get problem at


    Multiple annotations found at this line:
    - No setter found for property 'driverClass' in class
    'org.springframework.jdbc.datasource.DriverManagerDataSource' [config set: springACL/web-context]
    - No setter found for property 'minPoolSize' in class
    'org.springframework.jdbc.datasource.DriverManagerDataSource' [config set: springACL/web-context]
    - Destroy-method 'close' not found in bean class
    'org.springframework.jdbc.datasource.DriverManagerDataSource' [config set: springACL/web-context]
    - No setter found for property 'jdbcUrl' in class
    'org.springframework.jdbc.datasource.DriverManagerDataSource' [config set: springACL/web-context]
    - No setter found for property 'user' in class 'org.springframework.jdbc.datasource.DriverManagerDataSource' [config
    set: springACL/web-context]
    - Destroy-method 'close' not found in bean class 'org.springframework.jdbc.datasource.DriverManagerDataSource'
    - No setter found for property 'maxStatements' in class
    'org.springframework.jdbc.datasource.DriverManagerDataSource' [config set: springACL/web-context]
    - No setter found for property 'maxPoolSize' in class
    'org.springframework.jdbc.datasource.DriverManagerDataSource' [config set: springACL/web-context]
    - No setter found for property 'idleConnectionTestPeriod' in class
    'org.springframework.jdbc.datasource.DriverManagerDataSource' [config set: springACL/web-context]
    - No setter found for property 'acquireIncrement' in class

    ReplyDelete
  23. Why is the AclAuthorizationStrategyImpl getting three times the same constructor-arg? Is that a copy&past error?

    ReplyDelete
  24. I have read your blog its very attractive and impressive. I like it your blog.

    Spring online training Spring online training Spring Hibernate online training Spring Hibernate online training Java online training

    spring training in chennai spring hibernate training in chennai

    ReplyDelete