Krams::: Spring Security 3: Full ACL Tutorial (Part 1)

"freelyyoureceive,freelyyougive"
krams::
Home Tutorials AboutMe
Sunday,January30,2011
SpringSecurity3:FullACLTutorial(Part1)
Inthistutorialwe'lldevelopasimpleBulletinapplicationwherevarioususerscancreate,add,edit,and
deletepostsdependingontheiraccesslevels.OurapplicationisasimpleCRUDsystemthatutilizesan
AccessControlList(ACL)tosecuredomainobjects.Thecorrespondingpermissionswillberetrieved
fromanexternalMySQLdatabase.There'saseparatedatabasefortheBulletinpostsandtheACLitself.
Here'swhatwe'llbedoing:
1.SetupaMySQLdatabasecontainingACLdata
2.Setupaseparatedatabasecontaingtheapplication'sdata
3.SecuredomainobjectsusingExpressionBasedAccessControl
4.SecureURLsusingtheintercepturlandExpressionBasedAccessControl
5.Tackleunexpectedissues
We'llbedividingthetutorialinfourparts:
Part1:FunctionalSpecsandtheApplicationDatabase
Part2:SpringSecurityConfiguration
Part3:SpringMVCModule
Part4:RunningtheApplication
OursystemwillbebuiltonSpringMVC3andSpringSecurity3forthesecuritylayer.Theprimarygoal
ofthistutorialistohelpussetupaquickACLbasedapplication.Toachievethat,we'llberelyingon
standardimplementations.
Let'sdescribetheapplication'srequirementsfirst,sothatweknowourpurpose.
Inoursystemwehavethreeroles:
ROLE_ADMIN - provides administrative access
ROLE_USER - provides regular access
ROLE_VISITOR - provides visitor access
Wealsohavethreeconcreteusersalongwiththeirroles:
john - ROLE_ADMIN
jane - ROLE_USER
mike - ROLE_VISITOR
Whenjohnlogsin,heisgiventheROLE_ADMIN.Whenjanelogsin,sheisgiventheROLE_USER.And
whenmikelogsin,hegetstheROLE_VISITOR.
OurBulletinapplicationhasthreetypesofposts:
AdminPost - contains an id, date, and message
PersonalPost - contains an id, date, and message
PublicPost - contains an id, date, and message
Herearethesimplerules:
1.OnlyuserswithROLE_ADMINcancreateAdminPost
2.OnlyuserswithROLE_USERcancreatePersonalPost
3.OnlyuserswithROLE_ADMINorROLE_USERcancreatePublicPost
4.UserswithROLE_VISITORcannotcreateanypost
Note:Whenweusetheword'create',wemeanaddinganewpost.
Herearethecomplexrules:
1.Ausercaneditanddeletepoststhatbelongsonlytothemregardlessoftherole.
2.AuserwithROLE_ADMINorROLE_USERcaneditanddeletePublicPosts.
3.WearerequiredtoshowallpostsinthemainBulletinpage
a.ROLE_ADMINcanseeallposts
b.ROLE_USERcanseePersonalandPublicposts
c.ROLE_VISITORcanonlyseePublicposts
Part1:FunctionalSpecs
Spring (133) MVC (87) Data (38)
JPA (32) AJAX (28) Security (28)
MongoDB(26)3(24)JQuery (19) JqGrid (19)
Jasper (18) CRUD (13) Mongo (13) WS (11)
DynamicJasper(7)GWT(7)RabbitMQ (7)
Labels
Ehcache
(6)GWTHandler(6)NoSQL (6) Redis (6) iReport (6)
3.1.(5)ACL(5)SpringData(5)Batch(4)XML(4)web
service(4)Balancer(3)Haproxy(3)LDAP(3)OpenID
(3) Scheduling (3) Access (2) JSON (2) MySQL (2)
ORM(2)Task(2)ACEGI(1) CAPTCHA (1) DWR (1) HQL (1)
JSP(1) Jackson (1) Java (1) Javascript (1) POI (1) Persistence
(1) Quartz (1) REST (1) RestTemplate (1) SQL (1) Scheduler
(1)Tiles (1)messaging (1) myOpenID (1) reCAPTCHA (1) soap
(1)
MarkSerrano
I'maJavaandSpringdeveloper
whoenjoyslearningandsharing.
Freelyyoureceive,freelyyougive.
Viewmycompleteprofile
AboutMe
TopComments
0 Share
More
NextBlog CreateBlog

SignIn
Let'svisualizetherulesusingtables:
AnadminhasREADandWRITEaccesstoeverything,butonlyREADaccesstothePersonalPosts.
Admin
PostType View Add Edit Delete
Admin x x x x
Personal x
Public x x x x
AregularuserhasREADandWRITEaccesstoPersonalPostsandPublicPostsbutonlyREAD
accesstoAdminPosts.
User
Admin
Personal x x x x
Public x x x x
AvisitorcanonlyreadAdminandPublicPostsbutnoaccessofwhatsoeverinthePersonalPosts
section.
Visitor
Admin
Personal
Public x
Themainproblem:
Ifwefocusonthesimplerules,thesolutionlookseasy.Justconfigureasimplehttptagwithacoupleof
intercepturldeclarations.Here'showwemaytacklethisproblem:
AdminPosts
PersonalPosts
PublicPosts
Howeverifweconsiderthecomplexrules,theintercepturlisunabletocopewiththecomplexrules.
Why?BecauseintercepturlismeanttosecureattheURLlevel.Thecomplexrulesareoperatingatthe
domainlevel.
ThesolutionistouseACLattheobjectlevelandintercepturlattheURLlevel.
We'llstartourmultiparttutorialbycreatinganewMySQLdatabasenamedacl.Thisdatabasewill
containouraccesscontrollist.It'scomposedoffourtables:
acl_class
acl_sid
acl_object_identity
acl_entry
1
2
3
4
<security:intercept-url pattern="/krams/admin/view" access="hasRole('ROLE_ADMIN')"
<security:intercept-url pattern="/krams/admin/add" access="hasRole('ROLE_ADMIN')"
<security:intercept-url pattern="/krams/admin/edit" access="hasRole('ROLE_ADMIN')"
<security:intercept-url pattern="/krams/admin/delete" access="hasRole('ROLE_ADMIN')"
1
2
3
4
<security:intercept-url pattern="/krams/personal/view" access="hasRole('ROLE_ADMIN') or hasRole('ROLE_USER')"
<security:intercept-url pattern="/krams/personal/add" access="hasRole('ROLE_USER')"
<security:intercept-url pattern="/krams/personal/edit" access="hasRole('ROLE_USER')"
<security:intercept-url pattern="/krams/personal/delete" access="hasRole('ROLE_USER')"
1
2
3
4
<security:intercept-url pattern="/krams/public/view" access="hasRole('ROLE_ADMIN') or hasRole('ROLE_USER') or hasRole('ROLE_VISITOR')"
<security:intercept-url pattern="/krams/public/add" access="hasRole('ROLE_ADMIN') or hasRole('ROLE_USER')"
<security:intercept-url pattern="/krams/public/edit" access="hasRole('ROLE_ADMIN') or hasRole('ROLE_USER')"
<security:intercept-url pattern="/krams/public/delete" access="hasRole('ROLE_ADMIN') or hasRole('ROLE_USER')"
TheACLDatabase
Majidwrote...
Hi,Igotthiserrorinpom.xml:Pluginexecutionnot
coveredbylifecycleconfiguration:
com.mysema.maven:mavenaptplugin:1.0:process
(execution:...
Continue>>
JordanCacherowrote...
Hellocansomeonerepeatthistutorialusing
Netbeans7.x
Crowiewrote...
StumbleduponanotherpostofyoursMark.Thisis
anotherthorough,implementable,example.Thanksa
lotforgoingtotheefforttopublishit.
sampathtulavawrote...
Goodone!!!
Anonymouswrote...
Congratulationsforareallywelldonejob.Thankyou.
Anonymouswrote...
runningwhenaddedthisorg.apache.maven.plugins
mavenwarplugin2.1.1falseThanksAlot
Anonymouswrote...
Greattutorial!THANKS!
Anonymouswrote...
inthejsppage,iseethisline:
type=&quottext/javascript&quotsrc=&quot/spring
mvcdwr/krams/dwr/interface/dwrService.js&quothow
doyouknow...
Continue>>
Pablowrote...
BestSpringblog.Greattutorialdude,thanksforyou
time.
Anonymouswrote...
HeyIamnewtojqgridandihaveaproblemthat
i&#39mnotabletogetdatafromthedummylist,
i&#39mhittingtheurlas...
Continue>>
DeepakKumarwrote...
hi,ihaveaproblemthatmyDataobjectislikethis
publicclassCandidateExcelModel{privateintid
privateStringname//varchar(50)...
Continue>>
2013(1)
2012(78)
2011(61)
October(4)
September(6)
April(1)
March(8)
February(13)
January(29)
Jan30(4)
SpringSecurity3:FullACL
Tutorial(Part4)
Tutorial(Part3)
Tutorial(Part2)
Tutorial(Part1)
Jan19(2)
Jan16(4)
Jan14(1)
Jan13(2)
Jan12(1)
Jan08(5)
Jan07(2)
Jan04(2)
Jan02(5)
BlogArchive
?
?
?
Let'screateourdatabase.Herearethesteps:
1.RunMySQL.
Note:I'musingphpmyadmintomanagemyMySQLdatabase.
2.Createanewdatabasenamedacl
3.ImportthefollowingSQLscripttocreatethetables:
acl_structure_mysql.sql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
-- phpMyAdmin SQL Dump
-- version 3.2.4
-- http://www.phpmyadmin.net
--
-- Host: localhost
-- Generation Time: Jan 26, 2011 at 04:34 PM
-- Server version: 5.1.41
-- PHP Version: 5.3.1

SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO";

--
-- Database: àcl`
--

-- --------------------------------------------------------

--
-- Table structure for table àcl_sid`
--

CREATE TABLE IF NOT EXISTS àcl_sid` (
ìd` bigint(20) NOT NULL AUTO_INCREMENT,
`principal` tinyint(1) NOT NULL,
`sid` varchar(100) NOT NULL,
PRIMARY KEY (ìd`),
UNIQUE KEY ùnique_uk_1` (`sid`,`principal`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=4 ;

-- --------------------------------------------------------

--
-- Table structure for table àcl_class`
--

CREATE TABLE IF NOT EXISTS àcl_class` (
`class` varchar(255) NOT NULL,
PRIMARY KEY (ìd`),
UNIQUE KEY ùnique_uk_2` (`class`)

-- --------------------------------------------------------

--
-- Table structure for table àcl_entry`
--

CREATE TABLE IF NOT EXISTS àcl_entry` (
àcl_object_identity` bigint(20) NOT NULL,
àce_order` int(11) NOT NULL,
`sid` bigint(20) NOT NULL,
`mask` int(11) NOT NULL,
Jan01(1)
2010(24)
2009(2)
24
RecentVisitors
LiveTrafficMap
ViewMyStats
StatCounter
SiteMeter
FeedCount
?
AfterimportingtheSQLscript,youshouldhavethefollowingtables:
4.ImportthefollowingSQLscripttopopulatethetableswithdata:
acl_data_mysql.sql
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
`granting` tinyint(1) NOT NULL,
àudit_success` tinyint(1) NOT NULL,
àudit_failure` tinyint(1) NOT NULL,
PRIMARY KEY (ìd`),
UNIQUE KEY ùnique_uk_4` (àcl_object_identity`,àce_order`),
KEY `foreign_fk_5` (`sid`)

-- --------------------------------------------------------

--
-- Table structure for table àcl_object_identity`
--

CREATE TABLE IF NOT EXISTS àcl_object_identity` (
òbject_id_class` bigint(20) NOT NULL,
òbject_id_identity` bigint(20) NOT NULL,
`parent_object` bigint(20) DEFAULT NULL,
òwner_sid` bigint(20) DEFAULT NULL,
èntries_inheriting` tinyint(1) NOT NULL,
PRIMARY KEY (ìd`),
UNIQUE KEY ùnique_uk_3` (òbject_id_class`,òbject_id_identity`),
KEY `foreign_fk_1` (`parent_object`),
KEY `foreign_fk_3` (òwner_sid`)

-- --------------------------------------------------------

--
-- Constraints for dumped tables
--

--
-- Constraints for table àcl_entry`
--
ALTER TABLE àcl_entry`
ADD CONSTRAINT `foreign_fk_4` FOREIGN KEY (àcl_object_identity`) REFERENCES àcl_object_identity` (ìd`),
ADD CONSTRAINT `foreign_fk_5` FOREIGN KEY (`sid`) REFERENCES àcl_sid` (ìd`);

--
-- Constraints for table àcl_object_identity`
--
ALTER TABLE àcl_object_identity`
ADD CONSTRAINT `foreign_fk_1` FOREIGN KEY (`parent_object`) REFERENCES àcl_object_identity` (ìd`),
ADD CONSTRAINT `foreign_fk_2` FOREIGN KEY (òbject_id_class`) REFERENCES àcl_class` (ìd`),
ADD CONSTRAINT `foreign_fk_3` FOREIGN KEY (òwner_sid`) REFERENCES àcl_sid` (ìd`);
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
-- version 3.2.4
--
-- Host: localhost
-- Generation Time: Jan 24, 2011 at 01:28 AM


--
-- Database: àcl`
--

--
-- Dumping data for table àcl_sid`
--

INSERT INTO àcl_sid` (ìd`, `principal`, `sid`) VALUES
(1, 1, 'john'),
(2, 1, 'jane'),
(3, 1, 'mike');

--
-- Dumping data for table àcl_class`
--

INSERT INTO àcl_class` (ìd`, `class`) VALUES
(1, 'org.krams.tutorial.domain.AdminPost'),
(2, 'org.krams.tutorial.domain.PersonalPost'),
(3, 'org.krams.tutorial.domain.PublicPost');
?
Verifythatthetableshadbeenpopulatedwithdata:
acl_classshouldcontain3records.
acl_sidshouldcontain3records.
acl_object_identityshouldcontain9records.
acl_entryshouldcontain30records.
Sofarwhatwe'vedoneiscreateanewdatabasenamedaclandaddfourtables:
acl_class
acl_sid
acl_object_identity
acl_entry
Butwhatarethesetablesexacly?
acl_class
Thetableacl_classstoresthefullyqualifiednameofdomainobjects.Itismadeupofthepackagename
andclassnameoftheobject.
Inthetablebelowwehavedeclaredthreefullyqualifiednamesthatpertaintoourthreedomainobjects:
Field Description
id Theprimarykey
class Thefullyqualifiednameofthedomainobject
acl_sid
Thetableacl_sidstoresthenameoftheuserswhichcanbeaprincipal(likeusernamesjohn,james,
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83

--
-- Dumping data for table àcl_object_identity`
--

INSERT INTO àcl_object_identity` (ìd`, òbject_id_class`, òbject_id_identity`, `parent_object`, òwner_sid`, èntries_inheriting`) VALUES
(1, 1, 1, NULL, 1, 0),
(2, 1, 2, NULL, 1, 0),
(3, 1, 3, NULL, 1, 0),
(4, 2, 1, NULL, 1, 0),
(5, 2, 2, NULL, 1, 0),
(6, 2, 3, NULL, 1, 0),
(7, 3, 1, NULL, 1, 0),
(8, 3, 2, NULL, 1, 0),
(9, 3, 3, NULL, 1, 0);

--
-- Dumping data for table àcl_entry`
--

INSERT INTO àcl_entry` (ìd`, àcl_object_identity`, àce_order`, `sid`, `mask`, `granting`, àudit_success`, àudit_failure`) VALUES
(1, 1, 1, 1, 1, 1, 1, 1),
(2, 2, 1, 1, 1, 1, 1, 1),
(3, 3, 1, 1, 1, 1, 1, 1),
(4, 1, 2, 1, 2, 1, 1, 1),
(5, 2, 2, 1, 2, 1, 1, 1),
(6, 3, 2, 1, 2, 1, 1, 1),
(7, 4, 1, 1, 1, 1, 1, 1),
(8, 5, 1, 1, 1, 1, 1, 1),
(9, 6, 1, 1, 1, 1, 1, 1),
(10, 7, 1, 1, 1, 1, 1, 1),
(11, 8, 1, 1, 1, 1, 1, 1),
(12, 9, 1, 1, 1, 1, 1, 1),
(13, 7, 2, 1, 2, 1, 1, 1),
(14, 8, 2, 1, 2, 1, 1, 1),
(15, 9, 2, 1, 2, 1, 1, 1),
(28, 4, 3, 2, 1, 1, 1, 1),
(29, 5, 3, 2, 1, 1, 1, 1),
(30, 6, 3, 2, 1, 1, 1, 1),
(31, 4, 4, 2, 2, 1, 1, 1),
(32, 5, 4, 2, 2, 1, 1, 1),
(33, 6, 4, 2, 2, 1, 1, 1),
(34, 7, 3, 2, 1, 1, 1, 1),
(35, 8, 3, 2, 1, 1, 1, 1),
(36, 9, 3, 2, 1, 1, 1, 1),
(37, 7, 4, 2, 2, 1, 1, 1),
(38, 8, 4, 2, 2, 1, 1, 1),
(39, 9, 4, 2, 2, 1, 1, 1),
(40, 7, 5, 3, 1, 1, 1, 1),
(41, 8, 5, 3, 1, 1, 1, 1),
(42, 9, 5, 3, 1, 1, 1, 1);
TableDefinitions
mark)oranauthority(likerolesROLE_ADMIN,ROLEUSER,ROLE_ANYONE).
Inthetablebelowwehavedeclaredthreesidobjects:
Field Description
id Theprimarykey
principal Aflagtoindicateifthesidfieldisausernameorarole
sid Theactualusername(ie.john)orrole(ie.ROLE_ADMIN)
acl_object_identity
Thetableacl_object_identitystorestheactualidentitiesofthedomainobjects.Theidentitiesare
referencedviaauniqueidwhichisretrievedfromanotherdatabase:theBulletindatabase.
Field Description
id Theprimarykey
object_id_class
Referstotheidfieldintheacl_class.Thisisareferencetothefullyqualified
nameoftheclass
object_id_identity
Referstotheprimaryidofthedomainobject.Theidisassignedfromanother
database:theBulletindatabase(SeetheBulletinDatabasebelow).Every
domainobjectintheapplicationneedstohaveauniqueid.
parent_object Referstotheidoftheparentobjectifexisting
owner_sid
Referstotheidfieldintheacl_sid.Thisisareferencetotheusernameor
role
entries_inheriting Aflagtoindicatewhethertheobjecthasinheritedentries
acl_entry
Thetableacl_entrystorestheactualpermissionsassignedforeachuseranddomainobject.
Field Description
id Theprimarykey
acl_object_identity Referstotheidfieldintheacl_object_identitytable
ace_order Referstotheorderingoftheaccesscontrolentries
sid Referstotheidfieldintheacl_sidtable
mask
Abitwisemasktoindicatethepermissions.Avalueof1isequivalentto
READpermission,2forWRITE,andsoforth.
granting
Aflagtoindicatewhetherthemaskshouldbeinterpretedasgrantingaccess
ordenyaccess
audit_success Aflagtoindicatewhethertoauditasuccessfulpermission
audit_failure Aflagtoindicatewhethertoauditafailedpermission
We'vefinishedsettinguptheACLdatabase.Nowit'stimetosetuptheapplication'sdatabase:the
bulletindatabase.
Thebulletindatabasecontainstheactualpostsfromvarioususers.Itcontainsthreetables:
TheBulletinDatabase
Let'screatethisdatabase.Herearethesteps:
1.RunMySQL
Note:I'musingphpmyadmintomanagemyMySQLdatabase
2.Createanewdatabasenamedbulletin
3.ImportthefollowingSQLscripttocreatethetablesandpopulatethemwithdataautomatically:
bulletin_mysql.sql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
-- version 3.2.4
--
-- Host: localhost
-- Generation Time: Jan 23, 2011 at 02:41 PM


/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8 */;

--
-- Database: `bulletin`
--

-- --------------------------------------------------------

--
-- Table structure for table àdmin_post`
--

CREATE TABLE IF NOT EXISTS àdmin_post` (
`date` datetime NOT NULL,
`message` varchar(255) NOT NULL,
PRIMARY KEY (ìd`)

--
-- Dumping data for table àdmin_post`
--

INSERT INTO àdmin_post` (ìd`, `date`, `message`) VALUES
(1, '2011-01-03 21:37:58', 'Custom post #1 from admin'),
(2, '2011-01-04 21:38:39', 'Custom post #2 from admin'),
(3, '2011-01-05 21:39:37', 'Custom post #3 from admin');

-- --------------------------------------------------------

--
-- Table structure for table `personal_post`
--

CREATE TABLE IF NOT EXISTS `personal_post` (
PRIMARY KEY (ìd`)

--
-- Dumping data for table `personal_post`
--

INSERT INTO `personal_post` (ìd`, `date`, `message`) VALUES
(1, '2011-01-06 21:40:02', 'Custom post #1 from user'),
(2, '2011-01-07 21:40:13', 'Custom post #2 from user'),
(3, '2011-01-08 21:40:34', 'Custom post #3 from user');

-- --------------------------------------------------------

--
-- Table structure for table `public_post`
--

CREATE TABLE IF NOT EXISTS `public_post` (
PRIMARY KEY (ìd`)
?
PostedbyMarkSerranoat7:57PM ShareThis
Reactions:
interesting(1) great(1) bad(0)
Sharethejoy:

4.AfterimportingtheSQLscript,verifythatyouhavethefollowingtablesanddata:
AdminPost
PersonalPost
PublicPost
Remembertheobject_id_identityfieldfromtheacl_object_identitytable?Thevalueofobject_id_identity
fieldisderivedfromtheactualvalueoftheidfieldinthebulletindatabase.
WehavecompletedthedatabasesetupbothfortheACLandtheBulletindatabase.We'vealso
explainedthemeaningbehindthetablesandthecorrespondingfields.Notewehaven'ttouchanything
specifictoSpringSecurity,SpringMVC,orevenJavayet.OurnexttaskistosetuptheSpringSecurity
configuration.
ProceedtoPart2:SpringSecurityConfiguration
Subscribebyreader Subscribebyemail
77
78
79
80
81
82
83
84
85
86

--
-- Dumping data for table `public_post`
--

INSERT INTO `public_post` (ìd`, `date`, `message`) VALUES
(1, '2011-01-10 21:40:44', 'Custom post #1 from public'),
(2, '2011-01-11 21:40:48', 'Custom post #2 from public'),
(3, '2011-01-12 21:41:08', 'Custom post #3 from public');
Reminder
Conclusion
Share 6
7comments:
Anonymous February8,2011at11:22AM
But when you try to add a message it doesn't show up on the view page and I can see the
messagebeenaddedtotherespectivetable
Reply
krams February8,2011at3:26PM
@Anonymous,ifyoucheckpart4ofthetutorialundertheUnexpectedProblemssection,you'll
seethatissuehasbeendiscussed.
Reply
Anonymous May18,2011at7:50PM
Dear
Doalljavaclassesanddomainobjecttablesneedtohaveidfieldsoastoimplementaclusing
abovemethod.cantwehaveourownprimarykey?
Reply
Unknown May1,2012at1:18AM
CREATETABLEacl.public.acl_class(
idBIGINTNOTNULL,
classVARCHAR(255)NOTNULL,
CONSTRAINTacl_class_pkPRIMARYKEY(id)
)
CREATETABLEacl.public.acl_entry(
idBIGINTNOTNULL,
acl_object_identityBIGINTNOTNULL,
ace_orderINTEGERNOTNULL,
sidBIGINTNOTNULL,
maskINTEGERNOTNULL,
grantingBITNOTNULL,
audit_successBITNOTNULL,
audit_failureBITNOTNULL,
CONSTRAINTacl_entry_pkPRIMARYKEY(id)
)
CREATETABLEacl.public.acl_object_identity(
idBIGINTNOTNULL,
object_id_classBIGINTNOTNULL,
object_id_identityBIGINTNOTNULL,
parent_objectBIGINT,
owner_sidBIGINTNOTNULL,
entries_inheritingBITNOTNULL,
CONSTRAINTacl_object_identity_pkPRIMARYKEY(id)
)
CREATETABLEacl.public.acl_sid(
idBIGINTNOTNULL,
principalBITNOTNULL,
sidVARCHAR(100)NOTNULL,
CONSTRAINTacl_sid_pkPRIMARYKEY(id)
)
ALTERTABLEacl.public.acl_object_identityADDCONSTRAINTforeign_fk_2
FOREIGNKEY(object_id_class)
REFERENCESacl.public.acl_class(id)
ONDELETENOACTION
ONUPDATENOACTION
NOTDEFERRABLE
ALTERTABLEacl.public.acl_entryADDCONSTRAINTforeign_fk_4
FOREIGNKEY(acl_object_identity)
REFERENCESacl.public.acl_object_identity(id)
ONDELETENOACTION
ONUPDATENOACTION
NOTDEFERRABLE
ALTERTABLEacl.public.acl_entryADDCONSTRAINTforeign_fk_5
FOREIGNKEY(sid)
REFERENCESacl.public.acl_sid(id)
ONDELETENOACTION
ONUPDATENOACTION
NOTDEFERRABLE
ALTERTABLEacl.public.acl_object_identityADDCONSTRAINTforeign_fk_3
FOREIGNKEY(owner_sid)
REFERENCESacl.public.acl_sid(id)
ONDELETENOACTION
ONUPDATENOACTION
NOTDEFERRABLE
forpostgres
Replies
Reply
Unknown May1,2012at1:32AM
INSERTINTOacl_sid(id,principal,sid)VALUES
(1,'1','john'),
(2,'1','jane'),
(3,'1','mike')
Dumpingdatafortableacl_class
INSERTINTOacl_class(id,class)VALUES
(1,'org.krams.tutorial.domain.AdminPost'),
(2,'org.krams.tutorial.domain.PersonalPost'),
(3,'org.krams.tutorial.domain.PublicPost')
Dumpingdatafortableacl_object_identity
INSERT INTO acl_object_identity (id, object_id_class, object_id_identity,

parent_object,owner_sid,entries_inheriting)VALUES
(1,1,1,NULL,1,'0'),
(2,1,2,NULL,1,'0'),
(3,1,3,NULL,1,'0'),
(4,2,1,NULL,1,'0'),
(5,2,2,NULL,1,'0'),
(6,2,3,NULL,1,'0'),
(7,3,1,NULL,1,'0'),
(8,3,2,NULL,1,'0'),
(9,3,3,NULL,1,'0')
Dumpingdatafortableacl_entry
INSERT INTO acl_entry (id, acl_object_identity, ace_order, sid, mask, granting,

audit_success,audit_failure)VALUES
(1,1,1,1,1,'1','1','1'),
(2,2,1,1,1,'1','1','1'),
(3,3,1,1,1,'1','1','1'),
(4,1,2,1,2,'1','1','1'),
(5,2,2,1,2,'1','1','1'),
(6,3,2,1,2,'1','1','1'),
(7,4,1,1,1,'1','1','1'),
(8,5,1,1,1,'1','1','1'),
(9,6,1,1,1,'1','1','1'),
(10,7,1,1,1,'1','1','1'),
(11,8,1,1,1,'1','1','1'),
(12,9,1,1,1,'1','1','1'),
(13,7,2,1,2,'1','1','1'),
(14,8,2,1,2,'1','1','1'),
(15,9,2,1,2,'1','1','1'),
(28,4,3,2,1,'1','1','1'),
(29,5,3,2,1,'1','1','1'),
(30,6,3,2,1,'1','1','1'),
(31,4,4,2,2,'1','1','1'),
(32,5,4,2,2,'1','1','1'),
(33,6,4,2,2,'1','1','1'),
(34,7,3,2,1,'1','1','1'),
(35,8,3,2,1,'1','1','1'),
(36,9,3,2,1,'1','1','1'),
(37,7,4,2,2,'1','1','1'),
(38,8,4,2,2,'1','1','1'),
(39,9,4,2,2,'1','1','1'),
(40,7,5,3,1,'1','1','1'),
(41,8,5,3,1,'1','1','1'),
(42,9,5,3,1,'1','1','1')
krams May2,2012at11:05PM
IthinkifyoulookattheSpringSecurityjars,youwillfindtheschemaforPostgresas
well(includingschemasforotherdatabases).Anyway,thankyouforsharingthisone.
I'msureitwillhelpothersreadingthisguide.
NewerPost OlderPost Home
Subscribeto:PostComments(Atom)
Reply
Enter your comment...
Commentas: GoogleAccount
Publish Preview
DennisKim April9,2013at10:15AM
Googjob!Reallyhelpsme.:)
Reply
Templateimagesbyrajareddychadive.PoweredbyBlogger.

Krams::: Spring Security 3: Full ACL Tutorial (Part 1)

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Krams::: Spring Security 3: Full ACL Tutorial (Part 1)

Uploaded by

Copyright:

Available Formats

"freelyyoureceive,freelyyougive"

INSERT INTO acl_object_identity (id, object_id_class, object_id_identity,

INSERT INTO acl_entry (id, acl_object_identity, ace_order, sid, mask, granting,

You might also like