First of all thanks for coming with a very nice book.
I have one question that just like in Spring security we have ACLs in our firm we have our own group management that is enterprise user control list. Our system exposes some API to applications useing it and also connects to LDAP for lot of info.
Is there any provision to extend the concept of ACL, so that if in future if we plan to implement spring security at enterprise level it could be easier for us.
As we discovered that spring security provides a lot of features around ACL and LDAP. We already use Spring in most of our applications so it could be a new milestone in our security system.
SCJP SCWCD AIX SOA
The significant problems we face cannot be solved by the same level of thinking that created them -- Albert Einstein
The Spring Security ACL subsystem is certainly intended to be extended (in the truest OO sense) to develop whatever functionality your business unit might need. It comes out of the box with a very flexible system of inheritance and user/group/data relationship modeling that is likely to satify many common scenarios.
That said, it's very complex code which is written in a different style than most of the rest of Spring Security, and many new developers have a hard time getting their heads around it, so please do keep in mind the learning curve when rolling this out, especially to more junior developers.
The difficulty of understanding this part of the framework is one of the reasons I felt strongly about dedicating a whole chapter to ACLs in the book - this wasn't originally what I planned, but after reviewing the complexity of the code, I felt that I couldn't do justice to explaining it without having (checking my notes) about 35 pages of material on it
Hope that answers your question!
Author, Spring Security 3 (the Book), Packt Publishing, 2010