which are having One-to-Many relationship.
Now, User theCoder created an article - "How to ask question?" . Article got saved in Article table with foreign key theCoder.
Now, another user theHacker logged into the application from somewhere and read the "How to ask question?" article. Now, he/she tried to perform delete/update actions on the article, which they are not allowed to. Only the owner of the article can delete/update the article.
How should I achieve this?
One way is to check the principle(logged in user's username) and then compare the user who create that article. If they match, delete/update the post otherwise throw 403 unauthorized.
But that would be a lot to do in multiple controllers. Is there something handy provided by the Spring security?
I looked for it and there is ACL security, but I don't understand if it's the one I am in use of. Nor there are some good articles/blogs/tutorials found on the web.
I think Domain Object ACLs are probably overkill, because they store a list of users that can access the object, per object. Unless you want to grant modification permissions to users other than the author, this is probably not what you want, because the database already contains the information indicating which user can edit an article: The associated author.
How would that be a lot to do in multiple controllers? Assuming you have an ArticleController, it could look something like this:
Suppose in future, I want to grant few users some extra permissions. Like you are the Author of the Spring forum, so you have some extra permissions.
In the same manner, users of my website would be granted special permissions based on their points.
How this is handled? ACL?
Stephan van Hulst
posted 1 year ago
No. ACL explicitly grants specific users access to specific objects.
When you want to do something like: "I'm the author of this article, but I want to explicitly grant user #123 and user #456 authorization to edit it as well", then you would use ACL.
If I wanted users to gain a set of special permissions that don't necessarily have to do with specific objects, I'd probably use roles. For instance, users that have a certain amount of points could be granted the 'editor' role, and they are allowed to edit all articles regardless of whether they are the author or not.