http://toubsen.de/ 2010-09-05T23:48:47+02:00 http://toubsen.de/ http://toubsen.de/lib/images/favicon.ico text/html 2007-09-23T02:09:04+02:00 http://toubsen.de/appfuse/acls/acl-performance?rev=1190506144&do=diff Finally some performance considerations when using ACLs. Fundamental rules ACLs get read for each single object - for this reason the number of accesses to an ACL-secured object should be minimized as far as possible. A good idea might be, to apply ACLs only to the top level of your object hierarchy, and allow access to the child objects only through a secured parent object. ACLs will only perform well for a narrow number of objects, above this limit the application will perform very badly. text/html 2007-09-23T02:10:28+02:00 http://toubsen.de/appfuse/acls/change-personmanager?rev=1190506228&do=diff To use the ACL capabilities for an object, the manager for this object has to be changed, too. It has to take care of creating ACLs for a new object, as well as deleting them if an existing object gets deleted. Reference AclManager in the PersonManager For the PersonManager to be able to change ACLs, it needs a reference to the ACL-manager. This results in the following method definition: text/html 2010-02-28T19:36:45+02:00 http://toubsen.de/appfuse/acls/change-references?rev=1267382205&do=diff For using the new secure manager, the references in the config files have to be changed. Basically, there are two possibilities: Rename the basic manager Change the name of the PersonManager from 'personManager' to something like 'personManagerInsecure'. Then the value of the 'ref'-Attribute of the 'personManagerSecure' has to be changed as well. text/html 2010-02-28T19:36:45+02:00 http://toubsen.de/appfuse/acls/how-to-use-acls?rev=1267382205&do=diff This page contains some hints on how to use ACLs in an application. Values for permissions The permissions get defined as a bit mask, the single bits representing the following permissions: permission value ADMINISTRATION 1 READ 2 WRITE 4 CREATE 8 DELETE 16 To assign multiple permissions, the values have to be combined with a logical OR. text/html 2007-09-23T02:20:34+02:00 http://toubsen.de/appfuse/acls/new-acegi-managers?rev=1190506834&do=diff To hook Acegi to the secure objects, some beans have to be defined. The bean-definitions are added to 'src/main/webapp/WEB-INF/security.xml'. Secure PersonManager The first bean to define is a secure instance of the PersonManager, which gets secured by the acegi ACLs: text/html 2010-02-28T19:36:45+02:00 http://toubsen.de/appfuse/acls/new-daos?rev=1267382205&do=diff After defining the domain classes, we also want some DAOs to persist and delete ACLs. New Interfaces BasicAclObjectIdentityDao package org.appfuse.dao; import org.appfuse.model.acl.BasicAclObjectIdentity; public interface BasicAclObjectIdentityDao extends GenericDao<BasicAclObjectIdentity, Long> { /** * Saves a object identity to persistent storage * * @param basicAclObjectIdentity Identity to save */ public void saveBasicAclObjectIdentity(BasicAclObjectIdentity basicAclObje… text/html 2010-02-28T19:36:45+02:00 http://toubsen.de/appfuse/acls/new-managers?rev=1267382205&do=diff For creating/changing/deleting ACLs from business code (e.g. allowing a user to modify ACLs of his objects), a manager is also needed. Interface package org.appfuse.service; import java.io.Serializable; import java.util.List; import org.acegisecurity.Authentication; import org.acegisecurity.acl.AclProvider; import org.appfuse.model.acl.BaseObjectAclAware; import org.appfuse.model.acl.BasicAclObjectIdentity; import org.appfuse.model.acl.BasicAclPermission; public interface BasicAclProvi… text/html 2010-02-28T19:36:45+02:00 http://toubsen.de/appfuse/acls/new-models?rev=1267382205&do=diff To work with ACLs, we need some new domain objects. Base class for secured objects The class BaseObjectAclAware serves as a base class for all domain objects, we want to secure. package org.appfuse.model.acl; import java.io.Serializable; import org.appfuse.model.BaseObject; /** * Base object for all ACL aware model objects */ public abstract class BaseObjectAclAware extends BaseObject { /** * This methods returns the unique key of the object (the primary key) * * @retu… text/html 2010-02-28T19:36:45+02:00 http://toubsen.de/appfuse/acls/start?rev=1267382205&do=diff The pages listed below describe, how to integrate domain based security into your application by the use of the Acegi ACL package. This Howto was mainly written by Peter Schneider-Manzell for AppFuse-1.9.x. I ported it over to AppFuse-2 and made some minor modifications to make it work again with the current APIs.