Skip to content

Latest commit



72 lines (59 loc) · 4.22 KB

File metadata and controls

72 lines (59 loc) · 4.22 KB

Spring Security ACL

POC for


First assumption is that Authorization and authentication of the end user will happen in different ends:

  1. Monolith will guard Authentication of the incoming HTTP requests
  2. Live Editor Service will receive HTTP requests that contains Identification of the user (JWT token)
  3. Live Editor wil perform authentication based on JWT token data
  4. Live Editor will perform Authorization for the user requests based on its ACL configuration.
  5. Searchlight will own permission of so called "Administrator" - user that will grand access to other users

See sequence Diagram

Security of the solution

Only searchlight authenticated user will be able to make calls to Live Editor service Only configured list (in Live Editor) will be able to perform changes Live Editor will process only requests with valid signed JWT token Valid signed JWT token will be created only with valid JWT secret Only production system (monolith) should have access to valid JWT secret for prod env This solution support role separation + domain controlling: user may be PUBLISHER but he/she may publish only to its configured domains

Demo role configs

POC configured with 3 users:
1 - has ROLE_PUBLISHER for domains and 2 - has ROLE_PUBLISHER for 3 - has ROLE_ADMIN for and and

Application has configured domains(web property). Roles are assigned to domains. Domains has Changes. Each Change inherit permissions from the domain.

How to DEMO

  • make sure you have mysql is running on your localhost:3306
  • start an application mvn spring-boot:run
  • after application is started get authentication token (ideally Monolith will generate it based on authenticated user) authenticate 3 users (generate 3 JWT tokens:
USER1=$(curl -X POST "http://localhost:8081/authenticate" -d '{"user":1}' -H "Content-Type: application/json")
USER2=$(curl -X POST "http://localhost:8081/authenticate" -d '{"user":2}' -H "Content-Type: application/json")
USER3=$(curl -X POST "http://localhost:8081/authenticate" -d '{"user":3}' -H "Content-Type: application/json")
  • using previously generated JWT token, check thet each user has different visibility (according to ACL configuration) for the Domain Changes

User 3

User 3 can see changes for domains and and

curl -X GET "http://localhost:8081/changes" -H "Authorization:$USER3"

User 2

User 2 can see changes only for domains

curl -X GET "http://localhost:8081/changes" -H "Authorization:$USER2"

User 1

User 1 can see changes for domains and

curl -X GET "http://localhost:8081/changes" -H "Authorization:$USER1"

and can publish new changes to one of those domains

curl -X POST "http://localhost:8081/changes" -d '{"id":33,"changeContent": "new change","webProperty": {"id": 3,"name": ""}}' -H "Content-Type: application/json" -H "Authorization:$USER1"

however can not publish to

curl -X POST "http://localhost:8081/changes" -d '{"id": 34,"changeContent": "new change","webProperty": {"id": 1,"name": ""}}' -H "Content-Type: application/json" -H "Authorization:$USER1"