Group and acl on Spring Security

I want to use Spring Security to manage user, group and permissions.

I want to use ACL to secure my domain objects but I can't find a way to assign a group to an acl.

For example: I've got users and groups. Each group can have the following securities: - manage forums (can be a role like ROLE_FORUM_MANAGER) - edit a specific forum (acl on开发者_开发技巧 the specific forum).

Moreover, Groups are defined by users which have role ROLE_PERMISSION_MANAGER. BUT all groups defined by this user can only be edited and managed by this user. So group are attached to a user. Exactly, imagine that user creates a google group: this user can manage right permission groups only for the group he has created. And so he can create group to manage specific forum of its own google group.

How can I do it?

I read the spring security docs and the following tutorials (so please don't send me to these links): http://grzegorzborkowski.blogspot.com/2008/10/spring-security-acl-very-basic-tutorial.html http://blog.denksoft.com/?page_id=20

Check Spring Security 3.0, you might be able to avoid using ACL at all by using the Spring Expression Language.

For instance, for editing a forum, you would have a method secured like this:

@PreAuthorize("hasRole('ROLE_FORUM_MANAGER') and hasPermission(#forum,'update'))
public void updateForum(Forum forum) {
    //some implementation
}

You would then implement the hasPermission method in a custom permission evaluator, like:

public class ForumPermissionEvaluator implements PermissionEvaluator {

    public boolean hasPermission(Authentication authentication,
            Object domainObject, Object permission) {
        //implement
    }

    public boolean hasPermission(Authentication authentication, 
            Serializable targetId, String targetType, Object permission) {
        //implement
    }
}

Finally, wire it up together in the application config:

<beans:bean id="expressionHandler"
    class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
  <beans:property name="permissionEvaluator" ref="permissionEvaluator"/>
</beans:bean>

<beans:bean id="permissionEvaluator"
    class="x.y.z.ForumPermissionEvaluator" />

I would just use your Groups like Roles. I've found the Spring ACL implementation to be pretty unwieldy and for the most part unusable. Just assign users to "groups" (Roles in all actuality) and check them as you would normal role based authorization.

I did something similar 'manually': i.e. I had my own code to determine which instances could be edited/deleted by a specific user and only relied on Spring security to ensure they had the right role to access the functionality and to provide role/authentication information for the current user.

So in my code I determined the current principal (our own User class) and based on that I decided what rights this user had on a specific instance.

public static User getCurrentUser() {
    User user = null;
    Authentication auth = SecurityContextHolder.getContext().getAuthentication();
    if (auth != null) {
        Object principal = auth.getPrincipal();
        if (principal instanceof User) {
            user = (User)principal;
        }
    }
    return user;
}