Understanding Spring Security – Part 4 – ACL Security

Spring Security also provides domain object level security in addition to the other types of security discussed in this Spring Security blog series. In simple terms, ACL provides a way to specify permissions based on a combination of role, business object (referred to as domain object) and permissions. For example, if you want to grant a user read permission based on their role, on their own user data, you would use ACL security.

Spring Security’s ACL services are shipped in the spring-security-acl-xxx.jar. You will need to add this JAR to your classpath to use Spring Security’s domain object instance security capabilities.

Spring Security’s domain object instance security capabilities centre on the concept of an access control list (ACL). Every domain object instance in your system has its own ACL, and the ACL records details of who can and can’t work with that domain object.

In order to secure various domain objects, you must create ACL Tables. I have provided the SQL for creating ACL Tables here:


Understanding Spring Security – Part 3 – Method Security

Since version 2.0, Spring Security has improved support significantly for adding security to various service layer methods. Method Security, in nature, is slightly more complicated than the simple allow or deny system seen in URL Based Spring Security. This security method allows you to supplement the traditional Spring beans application context syntax with elements from traditional XML schema.

In Spring Security, it is possible to secure individual methods for authentication. In order to use method security, the following lines need to be added to the files specified:


Understanding Spring Security – Part 2 – URL Based Security

Perhaps the simplest type of security for beginners to think of is URL-based security. Spring Security allows the securing individual pages using role-based authentication. You can define the roles and the pages to secure, the url to go to when login is successful, or fails, or link your application to an authentication source. Spring Security provides configuration for LDAP, OpenID, CAS and JAAS based authentications.

In order to add url based security, we create a new xml called WEB-INF/applicationContext-security.xml which is mentioned in the web.xml under context-param.

This file looks like this:


Understanding Spring Security – Part 1 – Introduction

Spring Security, formerly known as Acegi Security, is an open source security provider that is used extensively in Java based web applications. Due to its power and ability to be customized, Spring Security has evolved itself into the de-facto standard for securing Spring-based applications. The purpose of this blog series is to examine Spring Security 3.0, as well as provide informational resources into its various functions.

Spring security targets two main areas of web application, these are “authentication” and “authorization.” Authentication refers to the process of establishing that a principal is who they claim to be. Authorization is the process of deciding whether a principal is allowed to perform an action within your application.