Mastering Ninja-Level Security with Spring ACLs

Guarding the Gates: Unlocking the Full Potential of ACLs in Spring Security

Aug 1, 2023

Mastering Ninja-Level Security with Spring ACLs

Imagine you’re diving into a world where your web application needs a ninja-level security system. Enter, Access Control Lists (ACLs) in Spring Security—a nifty way to give you the reins to decide who can do what. Picture it like a bouncer at a club, making sure only those on the VIP list get in. Let’s break it down a bit, and hopefully, you’ll see just how cool and essential this can be for your project.

ACLs in Spring Security let you be super specific about who can touch what in your app. Not just a “you can or you can’t” scenario but digging down to “you can do this particular thing to this particular piece of data.” If your app looks like a busy, high-stakes office, ACLs are those meticulous logbooks and stringent security checks ensuring everything’s accessed correctly and legally.

Okay, now, for those magic ingredients in ACLs, here are a few concepts you need in your toolbelt.

First off, ACL Entries: think of these as the individual permissions, like who can peek at that secret file or who can toss the trash. Then there’s Object Identity, marking each file or data piece with its own special ID, kinda like barcodes in a library. And don’t forget Security Identity (SID), the character in this story - it could be a user, like “Bob the Builder,” or a role, like “Admins.” Finally, Permissions are the actions you can carry out on the objects – reading, writing, deleting – you get the drift.

Ready to set this up? First, the database part. You’ve got to prep some tables. Imagine four large whiteboards where you jot down every user, role, object, and permission. These are essentially your ‘ACL_SID’, ‘ACL_CLASS’, ‘ACL_OBJECT_IDENTITY’, and ‘ACL_ENTRY’ tables. Setting this up is like arranging your Lego pieces; everything must be right on point. Here’s how you could lay it out:

CREATE TABLE ACL_SID (
  ID BIGINT PRIMARY KEY,
  PRINCIPAL SMALLINT NOT NULL,
  SID VARCHAR(100) NOT NULL UNIQUE
);

CREATE TABLE ACL_CLASS (
  ID BIGINT PRIMARY KEY,
  CLASS VARCHAR(100) NOT NULL UNIQUE
);

CREATE TABLE ACL_OBJECT_IDENTITY (
  ID BIGINT PRIMARY KEY,
  OBJECT_ID_CLASS BIGINT NOT NULL,
  OBJECT_ID_IDENTITY BIGINT NOT NULL,
  PARENT_OBJECT BIGINT,
  OWNER_SID BIGINT,
  ENTRIES_INHERITING SMALLINT NOT NULL,
  CONSTRAINT UNIQUE_UK SID_OBJECT_ID UNIQUE (OBJECT_ID_CLASS, OBJECT_ID_IDENTITY),
  CONSTRAINT FK_PARENT_OBJECT FOREIGN KEY (PARENT_OBJECT) REFERENCES ACL_OBJECT_IDENTITY (ID)
);

CREATE TABLE ACL_ENTRY (
  ID BIGINT PRIMARY KEY,
  ACL_OBJECT_IDENTITY BIGINT NOT NULL,
  ACE_ORDER INT NOT NULL,
  SID BIGINT NOT NULL,
  MASK INT NOT NULL,
  GRANTING SMALLINT NOT NULL,
  AUDIT_SUCCESS SMALLINT NOT NULL,
  AUDIT_FAILURE SMALLINT NOT NULL,
  CONSTRAINT UNIQUE_UK_ENTRIES_ORDER UNIQUE (ACL_OBJECT_IDENTITY, ACE_ORDER),
  CONSTRAINT FK_ENTRIES FOREIGN KEY (ACL_OBJECT_IDENTITY) REFERENCES ACL_OBJECT_IDENTITY (ID)
);

Now, let’s play the Spring Tune. Configuring ACL services in Spring is like setting up the perfect band. You’ll need a DataSource and then feed it to a JdbcMutableAclService and a BasicLookupStrategy. It’s like giving the band a set of instruments and a music sheet:

@Bean
public DataSource dataSource() {
    return DataSourceBuilder.create()
        .driverClassName("com.mysql.cj.jdbc.Driver")
        .url("jdbc:mysql://localhost:3306/mydb")
        .username("yourusername")
        .password("yourpassword")
        .build();
}

@Bean
public JdbcMutableAclService jdbcMutableAclService(DataSource dataSource, LookupStrategy lookupStrategy) {
    return new JdbcMutableAclService(dataSource, lookupStrategy);
}

@Bean
public LookupStrategy lookupStrategy(DataSource dataSource) {
    return new BasicLookupStrategy(dataSource);
}

With your band (or services) all hyped up and ready to rock, now it’s time to create and manage your ACLs. Picture yourself as the maestro of a grand orchestra, assigning each ACL to a piece of data, deciding who gets to play which note:

AclService aclService = new JdbcMutableAclService(dataSource, lookupStrategy);

ObjectIdentity objectIdentity = new ObjectIdentityImpl(Foo.class, 44);
Sid sid = new PrincipalSid("Samantha");

try {
    MutableAcl acl = (MutableAcl) aclService.readAclById(objectIdentity);
    acl.insertAce(acl.getEntries().size(), BasePermission.ADMINISTRATION, sid, true);
    aclService.updateAcl(acl);
} catch (NotFoundException e) {
    MutableAcl acl = new MutableAclImpl(objectIdentity, sid, new AclAuthorizationStrategyImpl(new ConsoleAuditLogger()));
    acl.insertAce(acl.getEntries().size(), BasePermission.ADMINISTRATION, sid, true);
    aclService.createAcl(acl);
}

Now let’s say you want to flex your muscles a bit further, using these ACLs for authorization. You can act like a watchdog, keeping an eye on who’s requesting what. Here’s a way to configure an AccessDecisionVoter – kinda like a checkpoint guard:

public class AclVoter implements AccessDecisionVoter<Object> {

    @Autowired
    private AclService aclService;

    @Override
    public boolean supports(ConfigAttribute attribute) {
        return true;
    }

    @Override
    public boolean supports(Class<?> clazz) {
        return true;
    }

    @Override
    public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
        ObjectIdentity objectIdentity = new ObjectIdentityImpl(object.getClass(), ((Foo) object).getId());
        Sid sid = new PrincipalSid(authentication.getName());

        try {
            Acl acl = aclService.readAclById(objectIdentity);
            return acl.isGranted(Collections.singletonList(BasePermission.ADMINISTRATION), Collections.singletonList(sid), true) ? ACCESS_GRANTED : ACCESS_DENIED;
        } catch (NotFoundException e) {
            return ACCESS_DENIED;
        }
    }
}

Feeling crafty? You can take the declarative route with annotations for while coding up your business logic. Like telling the app, “Hey, only let the ones with the permission updateFoo do this”. Check this out:

@Service
public class FooService {

    @Autowired
    private AclService aclService;

    @PreAuthorize("hasPermission(#foo, 'admin')")
    public void updateFoo(Foo foo) {
        // Update foo logic here
    }
}

If stock permissions aren’t cutting it for your unique needs, no worries! You can brew your own custom permissions. Maybe you need “super-read” or “ultra-modify” kinds of actions. Creating custom permissions is painless:

public class CustomPermission extends Permission {

    public static final int READ = 1 << 0;
    public static final int CREATE = 1 << 1;
    public static final int MODIFY = 1 << 2;
    public static final int DELETE = 1 << 3;
    public static final int ADMINISTER = 1 << 4;

    @Override
    public int getMask() {
        return getPermission();
    }

    public static Permission createPermission(int permission) {
        return new CustomPermission(permission);
    }

    private CustomPermission(int permission) {
        super(permission);
    }
}

And for those swinging the NoSQL way with MongoDB, there’s customization for that too! Think of it like translating the rules into a language MongoDB understands:

@Bean
public AclService aclService(MongoTemplate mongoTemplate) {
    return new MongoAclService(mongoTemplate);
}

Implementing ACLs in Spring Security might sound like a lot at first, but lining up these ducks means you’re setting up a strong, flexible security system. Whether you’re leaning on SQL or jumping on the NoSQL bandwagon, you’ll have the customizability and control you need. Keeping your app on point with who can access what, ensuring a secure and seamless experience, all thanks to the wizardry of ACLs.

Share: Facebook Twitter Reddit