-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce Spring Security ACL (Access Control Lists) #36
Conversation
The added SQL script works for H2 and Postgres. It will be executed on startup as configured in the context-init.xml. This way it is ensured that the ACL database exists on after starting up the system.
The SHOGun2 authentication provider will now request a user from the database. The accountName of the user will be used as the principal in the authentication object.
For the demonstration of the ACL usage, some access control entries were made.
The AOP libraries will be used to intercept the saveOrUpdate and delete method of the AbstractCrudService in a next step.
By using this aspect class, the saveOrUpdate and delete methods of the AbstractCrudService will be intercepted (if the webapp is configured properly).
Enabled AOP/AspectJ in archetype and use the SHOGun2 AclManagement aspect, which was commited in the previous step.
This SidRetrievalStrategy behaves like the default (SidRetrievalStrategyImpl), but checks if the principal of the current authentication object is a SHOGun2 user object. In such cases, the accountName of the SHOGun2 user will be used to build a PrincipalSid.
The Shogun2AuthenticationProvider will now pass the SHOGun2-User object as the principal of the authentication. The authentication provider has also been enhanced by checking if the SHOGun2 user object actually has grantedAuthorities. (The last point is a preparation as we do not yet retrieve the authorities from our SHOGun2 database).
I added some more commits:
|
As the test failed, i made it work again... |
The customized ACL service takes care if the principal object of the current authentication is a SHOGun2 User object.
I made some more enhancements:
|
Hey @buehner, great work! I am sure this is the right direction for SHOGun2 wrt security. Please merge. Additionally it'd be great if you could turn the remaining TODOs into Github issues. If possible a tutorial on how to use the security mechanism would be great. Thanks! |
Introduce Spring Security ACL (Access Control Lists)
As described in #35, this PR introduces Spring Security ACLs.
The implementations are mainly based on this tutorial (under impact of this tutorial)
Here is a short list of features, that would be introduced by this PR:
Most parts of this PR are a proof of concept, which means that still some coding has to be done (especially to save/update/delete the ACL entries). But as it is working: Try the webapp archetype and feel free to merge.