tessl/maven-org-springframework-security--spring-security-acl
Spring Security ACL provides instance-based security for domain objects through a comprehensive Access Control List implementation
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
'%3e%3cpath%20d='m7.15%205.779.281.877c-.001.502.003.991.124%201.48l.116-.082.229-1.265c.723%201.422%202.78%203.325%202.53%205.008-.022.154-.082.3-.158.435.349-.014.375-.38.578-.56.187%201.005.17%201.975-.22%202.932l1.428%203.159c-.007.07-.626.285-.744.226-.087-.044-.629-1.506-.742-1.754-.103-.224-.457-1.044-.592-1.165-.592-.534-2.033-.183-2.773-.256l.488-.115.148-.109c-.68-.08-1.363-.34-1.85-.815.531.046%201.052.121%201.592.087.1-.006.378-.02.432-.114-1.338-.016-2.398-.569-3.16-1.62-1.03-1.422-1.646-3.215-2.658-4.662-.203-.289-.474-.68-.776-.847-.015-.092.076-.054.137-.049.375.034.778.157%201.148.234l1.26.462c-.404-.737-1.332-.637-1.984-.994-.759-.416-1.2-1.386-1.487-2.149-.258-.68-.536-1.495-.492-2.217.282.262.529.573.896.73.087-.102-.838-1.102-.867-1.323C-.051.673.656-.051%201.328.003c1.128.09%202.44%201.953%202.87%202.886.074.069.145-.23.149-.25.029-.154.01-.306.054-.452.67.932%201.64%201.722%202.122%202.768l.626%201.778V5.78Z'/%3e%3cpath%20d='m10.851%206.733.626-1.778c.483-1.047%201.451-1.836%202.122-2.769.045.147.025.299.054.452.005.021.075.32.149.25.43-.932%201.742-2.796%202.87-2.885.672-.054%201.38.67%201.294%201.31-.03.22-.954%201.221-.867%201.322.367-.156.614-.467.896-.729.044.722-.234%201.536-.49%202.218-.288.763-.73%201.733-1.488%202.149-.652.356-1.58.256-1.984.993l1.26-.461c.37-.077.772-.2%201.148-.234.06-.006.152-.044.136.049-.301.166-.573.557-.775.847-.794%201.135-1.347%202.488-2.049%203.68-.635%201.081-1.285%202.087-2.613%202.432.148-.768.005-1.562-.173-2.316l-.32-.092c-.219-1.088-.84-2.001-1.466-2.908l.919-1.475.229%201.265.116.082c.12-.489.125-.979.123-1.48l.283-.877v.955ZM8.017%2014.984c-.238.57-.531%201.119-.78%201.686-.089.204-.446%201.24-.518%201.295-.145.114-.622-.087-.777-.2l1.207-2.78h.868ZM12.008%2013.75c-.059.174-.949.7-1.04.617l.12-.5.92-.117Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h18v18H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/maven-org-springframework-security--spring-security-acl@6.5.0index.mddocs/
Spring Security ACL
Spring Security's Access Control List (ACL) module provides domain object instance-based security. It enables fine-grained permission controls where different users can have different permissions on individual instances of domain objects.
Package Information
Group ID: org.springframework.security
Artifact ID: spring-security-acl
Package: org.springframework.security.acls
Maven Dependency
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-acl</artifactId>
<version>6.5.1</version>
</dependency>Core Imports
import org.springframework.security.acls.AclPermissionEvaluator;
import org.springframework.security.acls.model.AclService;
import org.springframework.security.acls.model.MutableAclService;
import org.springframework.security.acls.model.Permission;
import org.springframework.security.acls.model.Sid;
import org.springframework.security.acls.model.ObjectIdentity;
import org.springframework.security.acls.model.Acl;
import org.springframework.security.acls.domain.BasePermission;
import org.springframework.security.acls.domain.PrincipalSid;
import org.springframework.security.acls.domain.GrantedAuthoritySid;
import org.springframework.security.acls.domain.ObjectIdentityImpl;Basic Usage Example
The modern approach uses Spring Security's expression-based access control with AclPermissionEvaluator:
@Service
public class DocumentService {
@PreAuthorize("hasPermission(#document, 'READ')")
public Document getDocument(Document document) {
return document;
}
@PreAuthorize("hasPermission(#document, 'WRITE')")
public void updateDocument(Document document) {
// Update document
}
@PreAuthorize("hasPermission(#documentId, 'com.example.Document', 'DELETE')")
public void deleteDocument(Long documentId) {
// Delete document
}
@PostAuthorize("hasPermission(returnObject, 'READ')")
public Document findDocument(Long id) {
return documentRepository.findById(id);
}
@PostFilter("hasPermission(filterObject, 'READ')")
public List<Document> getUserDocuments() {
return documentRepository.findAll();
}
}Architecture
Spring Security ACL provides a flexible, extensible architecture for domain object security:
Core Components
- AclService: Read access to ACL data
- MutableAclService: Create/modify ACL data
- AclPermissionEvaluator: Integration with Spring Security expressions
- Acl: Represents permissions for a domain object
- ObjectIdentity: Identifies domain object instances
- Sid: Security identities (users/roles)
- Permission: Specific permission types
Data Flow
- Permission Check:
@PreAuthorizetriggers permission evaluation - Object Identity: Extract identity from domain object
- Security Identity: Get current user's SIDs (principal + authorities)
- ACL Lookup: Query ACL data for object and SIDs
- Permission Decision: Check if required permission is granted
Capabilities
Core Domain Model
The ACL module provides a rich domain model for representing permissions:
// Domain object identity
ObjectIdentity identity = new ObjectIdentityImpl(Document.class, documentId);
// Security identities
Sid principalSid = new PrincipalSid("john.doe");
Sid roleSid = new GrantedAuthoritySid("ROLE_ADMIN");
// Built-in permissions
Permission read = BasePermission.READ;
Permission write = BasePermission.WRITE;
Permission delete = BasePermission.DELETE;Learn more about the domain model →
ACL Services
Programmatic access to ACL data for reading and modification:
@Autowired
private MutableAclService aclService;
// Create ACL for new object
MutableAcl acl = aclService.createAcl(objectIdentity);
// Grant permission
acl.insertAce(0, BasePermission.READ, principalSid, true);
aclService.updateAcl(acl);
// Read ACL
Acl existingAcl = aclService.readAclById(objectIdentity);Learn more about ACL services →
Permission Evaluation
Modern annotation-based approach with caching and optimization:
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig {
@Bean
public PermissionEvaluator permissionEvaluator(AclService aclService) {
AclPermissionEvaluator evaluator = new AclPermissionEvaluator(aclService);
evaluator.setPermissionFactory(permissionFactory());
return evaluator;
}
}Learn more about permission evaluation →
Configuration & Setup
Complete Spring configuration with database setup and security integration:
@Configuration
@EnableJpaRepositories
public class AclConfig {
@Bean
public AclService aclService() {
JdbcMutableAclService service = new JdbcMutableAclService(
dataSource(), lookupStrategy(), aclCache());
service.setClassIdentityQuery("SELECT @@IDENTITY");
service.setSidIdentityQuery("SELECT @@IDENTITY");
return service;
}
}Learn more about configuration →
Caching & Performance
Advanced caching and performance optimization features for production deployments:
@Bean
public AclCache aclCache() {
return new SpringCacheBasedAclCache(
cacheManager().getCache("aclCache"),
permissionGrantingStrategy(),
aclAuthorizationStrategy()
);
}
@Bean
public PermissionCacheOptimizer permissionCacheOptimizer(AclService aclService) {
return new AclPermissionCacheOptimizer(aclService);
}Learn more about caching & performance →
Strategy Interfaces
Extensible strategy interfaces for customizing ACL behavior:
// Custom object identity retrieval
@Bean
public ObjectIdentityRetrievalStrategy objectIdentityRetrievalStrategy() {
return new CustomObjectIdentityRetrievalStrategy();
}
// Custom SID retrieval with groups
@Bean
public SidRetrievalStrategy sidRetrievalStrategy() {
return new GroupAwareSidRetrievalStrategy();
}
// Custom permission evaluation logic
@Bean
public PermissionGrantingStrategy permissionGrantingStrategy() {
return new CustomPermissionGrantingStrategy(auditLogger());
}Learn more about strategy interfaces →
Key Features
- Fine-grained Security: Per-instance permissions on domain objects
- Hierarchical ACLs: Support for parent-child ACL inheritance
- Flexible Permissions: Built-in permissions (READ, WRITE, CREATE, DELETE, ADMINISTRATION) with support for custom permissions
- Multiple Security Identities: Support for both principal-based and authority-based permissions
- Performance Optimized: Batch loading, caching, and SID filtering for efficient permission checks
- Database Agnostic: JDBC-based implementation works with any SQL database
- Spring Integration: Seamless integration with Spring Security's expression language
Standards Compliance
- Consistent with Spring Security patterns: Uses standard Spring Security interfaces and annotations
- Database portable: ANSI SQL compatible implementation
- Extensible design: Pluggable strategies for object identity retrieval, SID management, and permission handling
- Audit support: Built-in auditing capabilities for permission grant/deny events
Next Steps
- Understand the domain model - Core interfaces and their relationships
- Set up ACL services - Configure AclService implementations
- Implement permission evaluation - Use modern annotation-based approach
- Complete configuration - Database setup and Spring integration
- Customize with strategies - Extensible strategy interfaces for custom behavior
- Optimize performance - Caching and performance tuning for production
Version Information
This documentation covers Spring Security ACL version 6.x. The ACL module has been part of Spring Security since version 2.0 and maintains backward compatibility while encouraging migration to the modern annotation-based approach.