How does Spring Security's ACL (access control list) deal with a principal having multiple permissions per OBJECT_IDENTITY?

Question

I am trying to roll out my own custom ACL system in Spring security which is more fine-tuned to my project than the default ACL system. My question is this:

How does the default ACL implementation that comes out of the box with Spring Security deal with a single principal object (SID) having multiple permissions per domain object (OBJECT_IDENTITY), without cluttering the database?

The documentation states: "ACL_ENTRY stores the individual permissions assigned to each recipient. Columns include a foreign key to the ACL_OBJECT_IDENTITY, the recipient (ie a foreign key to ACL_SID), whether we'll be auditing or not, and the integer bit mask that represents the actual permission being granted or denied. We have a single row for every recipient that receives a permission to work with a domain object."

So the ACL_Entry is basically the join table between a single principal user, and a single domain object that user has permissions for.

Fine. However; on the controller layer, there are multiple CRUD methods that one can perform on a single object. What if one user has permission to update, and delete an object, but another user has only permissions to create, and read an object (for instance). Does the default Spring ACL system store a row in the database for EACH AND EVERY permission between a principal user and a domain object? For instance, Joe has permission to read this object. Row += 1. Joe also has permission to write this object. Row += 1 again and so on.

If it does work this way that will make it much easier to implement my custom rollout, because I was concerned about adding multiple permissions in the DB per object, per principal (You can see how if one principal gets read, write, and update permissions per object, that is three rows per user. Get 300 users and that's 900 rows, and you can see how this can be an exponential problem).

If not then how does this work? Thanks.

Answer 1

Does the default Spring ACL system store a row in the database for EACH AND EVERY permission between a principal user and a domain object?

Yes.

On the other hand, a permission only need one bit (on or off) and the Permission interface even has a getMask() method to combine several permissions into a single integer, so you could get away with only one record per sid/user and domain object. However , the built-in ACL permission evaluator in Spring Security can confusingly not handle such bit masks, but require a seperate row for every permission to grant. Edit: This limitation is described in issue report SEC-2342 .

Regarding your concern about many rows to store the permissions: A security identity (sid) does not need to be a single user, it can also be a group. If there are many users, assign users to groups and set permissions on groups.