How to connect ACLs with protected resources?

What is the best way to connect an ACL with the protected resource?

1) Should the protected resource hold a reference to its ACL?

interface AclHolder {
    Acl getAcl();
}

This would be simple, but if the object lives in a database it has to be constructed before it is possible to check access rights.

2) Spring Security uses a mechanism with the fully qualified class name and the object id to attach and retrieve the ACL externally. This could lead to an n+1 select problem, because multiple ACLs cannot be selected by a certain criterion. This system could break if class names change while refactoring.

3) Another way could be to store a reference to the protected resource within the ACL. With lazy loading it would be possible to check the ACL without loading the protected resource from the database.

class Acl<T> {
    @Lazy public T protectedResource;
    // acl methods ...
}

4) Each object could ha开发者_如何学Pythonve a security descriptor (like in windows):

class SecurityDescriptor<T> {
  public Acl acl;
  @Lazy public T protectedResource;
  // ...
}

What is better?

Provisional Solution: I will implement the AclHolder interface since domain objects can implement it and it is also possible to attach ACLs without affecting the domain objects.

spring security acl implementation comes with caching inbuilt and once that cache is warmed , the way u r going to retrieve the acl is mostly for a given object instance if u enforce the implementation through spring-security annotations, thus u dont really hit n+1 problem and moreover it is jdbc based.
The changing of domain object class names could be an issue though , but here also the acl_class table is stores the class identities and should be reasonably small to manage it as refactoring of that level happens between major releases in a production system. Spring-security acl implementation is a reasonable choice to have a quick acl implementation in a non-intrusive way(i.e ur domain models remain agnostic of security which is primarily an application layer concern).