Acegi Security

Overview PLEASE NOTE: Acegi Security 1.0.3 contains a preview of a new ACL module. The new ACL module is a significant rewrite of the existing ACL module. The new module can be found under the org.acegisecurity.acls package, with the old ACL module under org.acegisecurity.acl. We encourage users to consider testing with the new ACL module and build applications with it. The old ACL module should be considered deprecated and may be removed from a future release. Complex applications often will find the need to define access permissions not simply at a web request or method invocation level. Instead, security decisions need to comprise both who (Authentication), where (MethodInvocation) and what (SomeDomainObject). In other words, authorization decisions also need to consider the actual domain object instance subject of a method invocation. Imagine you're designing an application for a pet clinic. There will be two main groups of users of your Spring-based application: staff of the pet clinic, as well as the pet clinic's customers. The staff will have access to all of the data, whilst your customers will only be able to see their own customer records. To make it a little more interesting, your customers can allow other users to see their customer records, such as their "puppy preschool "mentor or president of their local "Pony Club". Using Acegi Security as the foundation, you have several approaches that can be used: Write your business methods to enforce the security. You could consult a collection within the Customer domain object instance to determine which users have access. By using the SecurityContextHolder.getContext().getAuthentication(), you'll be able to access the Authentication object. Write an AccessDecisionVoter to enforce the security from the GrantedAuthority[]s stored in the Authentication object. This would mean your AuthenticationManager would need to populate the Authentication with custom GrantedAuthority[]s representing each of the Customer domain object instances the principal has access to. Write an AccessDecisionVoter to enforce the security and open the target Customer domain object directly. This would mean your voter needs access to a DAO that allows it to retrieve the Customer object. It would then access the Customer object's collection of approved users and make the appropriate decision. Each one of these approaches is perfectly legitimate. However, the first couples your authorization checking to your business code. The main problems with this include the enhanced difficulty of unit testing and the fact it would be more difficult to reuse the Customer authorization logic elsewhere. Obtaining the GrantedAuthority[]s from the Authentication object is also fine, but will not scale to large numbers of Customers. If a user might be able to access 5,000 Customers (unlikely in this case, but imagine if it were a popular vet for a large Pony Club!) the amount of memory consumed and time required to construct the Authentication object would be undesirable. The final method, opening the Customer directly from external code, is probably the best of the three. It achieves separation of concerns, and doesn't misuse memory or CPU cycles, but it is still inefficient in that both the AccessDecisionVoter and the eventual business method itself will perform a call to the DAO responsible for retrieving the Customer object. Two accesses per method invocation is clearly undesirable. In addition, with every approach listed you'll need to write your own access control list (ACL) persistence and business logic from scratch. Fortunately, there is another alternative, which we'll talk about below.

Basic ACL Package Please note that our Basic ACL services are currently being refactored. We expect release 1.1.0 will contain this new code. Planned code is already in the Acegi Security Subversion sandbox, so please check there if you have a new application requiring ACLs or are in the planning stages. The Basic ACL services will be deprecated from release 1.1.0. The org.acegisecurity.acl package is very simple, comprising only a handful of interfaces and a single class, as shown in Figure 6. It provides the basic foundation for access control list (ACL) lookups. Figure 6: Access Control List Manager The central interface is AclManager, which is defined by two methods: public AclEntry[] getAcls(java.lang.Object domainInstance); public AclEntry[] getAcls(java.lang.Object domainInstance, Authentication authentication); AclManager is intended to be used as a collaborator against your business objects, or, more desirably, AccessDecisionVoters. This means you use Spring's normal ApplicationContext features to wire up your AccessDecisionVoter (or business method) with an AclManager. Consideration was given to placing the ACL information in the ContextHolder, but it was felt this would be inefficient both in terms of memory usage as well as the time spent loading potentially unused ACL information. The trade-off of needing to wire up a collaborator for those objects requiring ACL information is rather minor, particularly in a Spring-managed application. The first method of the AclManager will return all ACLs applying to the domain object instance passed to it. The second method does the same, but only returns those ACLs which apply to the passed Authentication object. The AclEntry interface returned by AclManager is merely a marker interface. You will need to provide an implementation that reflects that ACL permissions for your application. Rounding out the org.acegisecurity.acl package is an AclProviderManager class, with a corresponding AclProvider interface. AclProviderManager is a concrete implementation of AclManager, which iterates through registered AclProviders. The first AclProvider that indicates it can authoritatively provide ACL information for the presented domain object instance will be used. This is very similar to the AuthenticationProvider interface used for authentication. With this background, let's now look at a usable ACL implementation. Acegi Security includes a production-quality ACL provider implementation, which is shown in Figure 7. Figure 7: Basic ACL Manager The implementation is based on integer masking, which is commonly used for ACL permissions given its flexibility and speed. Anyone who has used Unix's chmod command will know all about this type of permission masking (eg chmod 777). You'll find the classes and interfaces for the integer masking ACL package under org.acegisecurity.acl.basic. Extending the AclEntry interface is a BasicAclEntry interface, with the main methods shown below: public AclObjectIdentity getAclObjectIdentity(); public AclObjectIdentity getAclObjectParentIdentity(); public int getMask(); public java.lang.Object getRecipient(); As shown, each BasicAclEntry has four main properties. The mask is the integer that represents the permissions granted to the recipient. The aclObjectIdentity is able to identify the domain object instance for which the ACL applies, and the aclObjectParentIdentity optionally specifies the parent of the domain object instance. Multiple BasicAclEntrys usually exist against a single domain object instance, and as suggested by the parent identity property, permissions granted higher in the object hierarchy will trickle down and be inherited (unless blocked by integer zero). BasicAclEntry implementations typically provide convenience methods, such as isReadAllowed(), to avoid application classes needing to perform bit masking themselves. The SimpleAclEntry and AbstractBasicAclEntry demonstrate and provide much of this bit masking logic. The AclObjectIdentity itself is merely a marker interface, so you need to provide implementations for your domain objects. However, the package does include a NamedEntityObjectIdentity implementation which will suit many needs. The NamedEntityObjectIdentity identifies a given domain object instance by the classname of the instance and the identity of the instance. A NamedEntityObjectIdentity can be constructed manually (by calling the constructor and providing the classname and identity Strings), or by passing in any domain object that contains a getId() method. The actual AclProvider implementation is named BasicAclProvider. It has adopted a similar design to that used by the authentication-related DaoAuthenticationProvder. Specifically, you define a BasicAclDao against the provider, so different ACL repository types can be accessed in a pluggable manner. The BasicAclProvider also supports pluggable cache providers (with Acegi Security including an implementation that fronts EH-CACHE). The BasicAclDao interface is very simple to implement: public BasicAclEntry[] getAcls(AclObjectIdentity aclObjectIdentity); A BasicAclDao implementation needs to understand the presented AclObjectIdentity and how it maps to a storage repository, find the relevant records, and create appropriate BasicAclEntry objects and return them. Acegi Security includes a single BasicAclDao implementation called JdbcDaoImpl. As implied by the name, JdbcDaoImpl accesses ACL information from a JDBC database. There is also an extended version of this DAO, JdbcExtendedDaoImpl, which provides CRUD operations on the JDBC database, although we won't discuss these features here. The default database schema and some sample data will aid in understanding its function: CREATE TABLE acl_object_identity ( id IDENTITY NOT NULL, object_identity VARCHAR_IGNORECASE(250) NOT NULL, parent_object INTEGER, acl_class VARCHAR_IGNORECASE(250) NOT NULL, CONSTRAINT unique_object_identity UNIQUE(object_identity), FOREIGN KEY (parent_object) REFERENCES acl_object_identity(id) ); CREATE TABLE acl_permission ( id IDENTITY NOT NULL, acl_object_identity INTEGER NOT NULL, recipient VARCHAR_IGNORECASE(100) NOT NULL, mask INTEGER NOT NULL, CONSTRAINT unique_recipient UNIQUE(acl_object_identity, recipient), FOREIGN KEY (acl_object_identity) REFERENCES acl_object_identity(id) ); INSERT INTO acl_object_identity VALUES (1, 'corp.DomainObject:1', null, 'org.acegisecurity.acl.basic.SimpleAclEntry'); INSERT INTO acl_object_identity VALUES (2, 'corp.DomainObject:2', 1, 'org.acegisecurity.acl.basic.SimpleAclEntry'); INSERT INTO acl_object_identity VALUES (3, 'corp.DomainObject:3', 1, 'org.acegisecurity.acl.basic.SimpleAclEntry'); INSERT INTO acl_object_identity VALUES (4, 'corp.DomainObject:4', 1, 'org.acegisecurity.acl.basic.SimpleAclEntry'); INSERT INTO acl_object_identity VALUES (5, 'corp.DomainObject:5', 3, 'org.acegisecurity.acl.basic.SimpleAclEntry'); INSERT INTO acl_object_identity VALUES (6, 'corp.DomainObject:6', 3, 'org.acegisecurity.acl.basic.SimpleAclEntry'); INSERT INTO acl_permission VALUES (null, 1, 'ROLE_SUPERVISOR', 1); INSERT INTO acl_permission VALUES (null, 2, 'ROLE_SUPERVISOR', 0); INSERT INTO acl_permission VALUES (null, 2, 'marissa', 2); INSERT INTO acl_permission VALUES (null, 3, 'scott', 14); INSERT INTO acl_permission VALUES (null, 6, 'scott', 1); As can be seen, database-specific constraints are used extensively to ensure the integrity of the ACL information. If you need to use a different database (Hypersonic SQL statements are shown above), you should try to implement equivalent constraints. The equivalent Oracle configuration is: CREATE TABLE ACL_OBJECT_IDENTITY ( ID number(19,0) not null, OBJECT_IDENTITY varchar2(255) NOT NULL, PARENT_OBJECT number(19,0), ACL_CLASS varchar2(255) NOT NULL, primary key (ID) ); ALTER TABLE ACL_OBJECT_IDENTITY ADD CONTRAINT FK_PARENT_OBJECT foreign key (ID) references ACL_OBJECT_IDENTITY CREATE SEQUENCE ACL_OBJECT_IDENTITY_SEQ; CREATE OR REPLACE TRIGGER ACL_OBJECT_IDENTITY_ID BEFORE INSERT ON ACL_OBJECT_IDENTITY FOR EACH ROW BEGIN SELECT ACL_OBJECT_IDENTITY_SEQ.NEXTVAL INTO :new.id FROM dual; END; CREATE TABLE ACL_PERMISSION ( ID number(19,0) not null, ACL_OBJECT_IDENTITY number(19,0) NOT NULL, RECIPIENT varchar2(255) NOT NULL, MASK number(19,0) NOT NULL, primary key (ID) ); ALTER TABLE ACL_PERMISSION ADD CONTRAINT UNIQUE_ID_RECIPIENT unique (acl_object_identity, recipient); CREATE SEQUENCE ACL_PERMISSION_SEQ; CREATE OR REPLACE TRIGGER ACL_PERMISSION_ID BEFORE INSERT ON ACL_PERMISSION FOR EACH ROW BEGIN SELECT ACL_PERMISSION_SEQ.NEXTVAL INTO :new.id FROM dual; END; <bean id="basicAclExtendedDao" class="org.acegisecurity.acl.basic.jdbc.JdbcExtendedDaoImpl"> <property name="dataSource"> <ref bean="dataSource"/> </property> <property name="objectPropertiesQuery" value="${acegi.objectPropertiesQuery}"/> </bean> <prop key="acegi.objectPropertiesQuery">SELECT CHILD.ID, CHILD.OBJECT_IDENTITY, CHILD.ACL_CLASS, PARENT.OBJECT_IDENTITY as PARENT_OBJECT_IDENTITY FROM acl_object_identity as CHILD LEFT OUTER JOIN acl_object_identity as PARENT ON CHILD.parent_object=PARENT.id WHERE CHILD.object_identity = ?</prop> The JdbcDaoImpl will only respond to requests for NamedEntityObjectIdentitys. It converts such identities into a single String, comprising the NamedEntityObjectIdentity.getClassname() + ":" + NamedEntityObjectIdentity.getId(). This yields the type of object_identity values shown above. As indicated by the sample data, each database row corresponds to a single BasicAclEntry. As stated earlier and demonstrated by corp.DomainObject:2 in the above sample data, each domain object instance will often have multiple BasicAclEntry[]s. As JdbcDaoImpl is required to return concrete BasicAclEntry classes, it needs to know which BasicAclEntry implementation it is to create and populate. This is the role of the acl_class column. JdbcDaoImpl will create the indicated class and set its mask, recipient, aclObjectIdentity and aclObjectParentIdentity properties. As you can probably tell from the sample data, the parent_object_identity value can either be null or in the same format as the object_identity. If non-null, JdbcDaoImpl will create a NamedEntityObjectIdentity to place inside the returned BasicAclEntry class. Returning to the BasicAclProvider, before it can poll the BasicAclDao implementation it needs to convert the domain object instance it was passed into an AclObjectIdentity. BasicAclProvider has a protected AclObjectIdentity obtainIdentity(Object domainInstance) method that is responsible for this. As a protected method, it enables subclasses to easily override. The normal implementation checks whether the passed domain object instance implements the AclObjectIdentityAware interface, which is merely a getter for an AclObjectIdentity. If the domain object does implement this interface, that is the identity returned. If the domain object does not implement this interface, the method will attempt to create an AclObjectIdentity by passing the domain object instance to the constructor of a class defined by the BasicAclProvider.getDefaultAclObjectIdentity() method. By default the defined class is NamedEntityObjectIdentity, which was described in more detail above. Therefore, you will need to either (i) provide a getId() method on your domain objects, (ii) implement AclObjectIdentityAware on your domain objects, (iii) provide an alternative AclObjectIdentity implementation that will accept your domain object in its constructor, or (iv) override the obtainIdentity(Object) method. Once the AclObjectIdentity of the domain object instance is determined, the BasicAclProvider will poll the DAO to obtain its BasicAclEntry[]s. If any of the entries returned by the DAO indicate there is a parent, that parent will be polled, and the process will repeat until there is no further parent. The permissions assigned to a recipient closest to the domain object instance will always take priority and override any inherited permissions. From the sample data above, the following inherited permissions would apply: --- Mask integer 0 = no permissions --- Mask integer 1 = administer --- Mask integer 2 = read --- Mask integer 6 = read and write permissions --- Mask integer 14 = read and write and create permissions --------------------------------------------------------------------- --- *** INHERITED RIGHTS FOR DIFFERENT INSTANCES AND RECIPIENTS *** --- INSTANCE RECIPIENT PERMISSION(S) (COMMENT #INSTANCE) --------------------------------------------------------------------- --- 1 ROLE_SUPERVISOR Administer --- 2 ROLE_SUPERVISOR None (overrides parent #1) --- marissa Read --- 3 ROLE_SUPERVISOR Administer (from parent #1) --- scott Read, Write, Create --- 4 ROLE_SUPERVISOR Administer (from parent #1) --- 5 ROLE_SUPERVISOR Administer (from parent #3) --- scott Read, Write, Create (from parent #3) --- 6 ROLE_SUPERVISOR Administer (from parent #3) --- scott Administer (overrides parent #3) So the above explains how a domain object instance has its AclObjectIdentity discovered, and the BasicAclDao will be polled successively until an array of inherited permissions is constructed for the domain object instance. The final step is to determine the BasicAclEntry[]s that are actually applicable to a given Authentication object. As you would recall, the AclManager (and all delegates, up to and including BasicAclProvider) provides a method which returns only those BasicAclEntry[]s applying to a passed Authentication object. BasicAclProvider delivers this functionality by delegating the filtering operation to an EffectiveAclsResolver implementation. The default implementation, GrantedAuthorityEffectiveAclsResolver, will iterate through the BasicAclEntry[]s and include only those where the recipient is equal to either the Authentication's principal or any of the Authentication's GrantedAuthority[]s. Please refer to the JavaDocs for more information. Figure 8: ACL Instantiation Approach The above figure explains the key relationships between objects in the Basic ACL package.