SEC-3207: Dynamic method execution security #3405
Labels
in: acl
An issue in spring-security-acl
type: enhancement
A general enhancement
type: jira
An issue that was migrated from JIRA
Mario Casari (Migrated from SEC-3207) said:
I would like to suggest an improvement that would easily provide an interesting additional facility using only current ACL features. Sometimes there is the need to dynamically secure method execution on a permission rather than on a role basis, using roles as containers of permissions. This is the case when the application security rules included methods execution must be completely configurable at runtime. As far as I know there is no out-of-the-box solution in Spring Security for it, but I think that this feature could be extrapolated easily from the ACL module. Since a ‘Sid’ entity could represent both a Principal and a GranthedAuthority, an ACE in which the Sid is a GrantedAuthority can be seen as a permission on an object granted to a Role, where the Role is the GrantedAuthority. If we consider a custom permission that plays the role of execute permission on methods we can associate such permission to a Method instance (to be more specific we would have to wrap the Method class to provide an ID to it) and a GrantedAuthority or directly to a Principal using the ACL API.
I explain these ideas in more details in two articles of mine, dynamically securing methods by spring security and dynamic spring security sample .
In the first the general idea is described, in the second there is a full working example.
My suggestion would be to provide the ACL package with a custom permission (method execution permission), a custom Permission Evaluator, Voter and annotation as I do in my example so as this feature would be directly available to the developers.
The text was updated successfully, but these errors were encountered: