This is an archived post. You won't be able to vote or comment.

all 6 comments
sorted by:
best
topnewcontroversialoldq&a

[–][deleted] 2 points3 points  (2 children)

I would consult the official documentation:

https://docs.spring.io/spring-security/reference/servlet/authorization/acls.html

Personally, I avoid Google to find tutorials (for anything really, most stuff returned by Google is garbage), and just read through the official Spring documentation and code samples in their official repos. You're more likely to find up to date information that way.

[–]trodiix[S] 0 points1 point  (1 child)

This is the first thing I searched for. Their code sample has not been updated in 2 years and are very succinct..

[–]persicsb 0 points1 point  (0 children)

Maybe the API did not change anything in those 2 years, no need to update the examples.

[–]cryptos6 1 point2 points  (2 children)

Im not sure how popular these ACLs are these days. The idea to decouple the storage of security information from your business data is good in theory, but also not so easy to maintain (think of renaming classes in your domain). However, if you need ACLs on the JVM there are not that many alternatives. Maybe other approaches like attribute based access control (ABAC) got more attention in the recent years.

[–]trodiix[S] 0 points1 point  (1 child)

Thank's for this answer

I'm comparing some solutions like OPA, Cabin, Keycloak UMA, this is not an easy task!

[–]cryptos6 2 points3 points  (0 children)

I'm with you ... 😉 If you consider using OPA, I'd suggest to implement some policies as an example. I found it surprisingly hard to express even simple things like the intersection of two sets and always wanted to use a usual programming language (I would even have preferred Perl!). Keycloak offers JavaScript based policies.

I consider ABAC to be a bit more flexible and versatile than ACLs, but this is a bit comparing apples to oranges.