SEC-2409: Spring Security / Spring Data Acl Integration

[spring-projects-issues]

Rob Winch (Migrated from SEC-2409) said:

Spring Security's ACL implementation allows users to determine if a access is allowed after the results come back from the database. This works when there is a small number of results, but breaks down when paging is necessary. Now that we have Spring Data, it would be good to provide integration with Spring Data to ensure that the query's are automatically updated based upon the security restrictions. We could provide a default strategy that aligns with Spring Security's ACL model.

Blocked by spring-projects/spring-data-commons#766

[spring-projects-issues]

Ian Duffy said:

Any ETA on this?

[spring-projects-issues]

Rob Winch said:

Spring Security integration is blocked on DATACMNS-293 Last I heard this issues is to be a priority in Spring Data's next release train so I am hopeful that we will start making headway soon.

[spring-projects-issues]

Ian Duffy said:

Is there any workaround for using @query and passing where conditions?

[spring-projects-issues]

Rob Winch said:

Not as far as I am aware (I haven't looked into this in any detail though) short of passing in the user information into the repository as an argument.

Spring Security exposes the current user with SecurityContextHolder, so you would need to adapt Spring Data to be aware of this in some form or another. This is probably a better question for the Spring Data team.

[spring-projects-issues]

Ian Duffy said:

Ok, Thank you.

Any idea when the next release is due?

[spring-projects-issues]

Rob Winch said:

Spring Data or Spring Security?

[spring-projects-issues]

Ian Duffy said:

Spring data. Sorry I should of been clearer.

[spring-projects-issues]

Rob Winch said:

No problem...but unfortunately I am not certain of the date. This is probably a better question for the Spring Data team.

[spring-projects-issues]

Rob Winch said:

FYI...we are starting to play around with the first phase which is allowing modification of queries using SpEL to access Spring Security information. See https://github.com/rwinch/spring-security-data/tree/spel In the long term we how to have much more advanced support.

[spring-projects-issues]

Ian Duffy said:

That looks pretty cool. Thanks Rob :-)

[spring-projects-issues]

Pedro Vilaça said:

Any news about this issue? I noticed that it was planned for Spring Security 4.0 but as the first RC is already out and this is still open and without any recent comments, will it be included before the final release? Thanks

[spring-projects-issues]

Rob Winch said:

We are still blocked on DATACMNS-293 so it will not be coming in 4.0

[spring-projects-issues]

Pedro Vilaça said:

Thanks Rob. Do you already know how will you do it or you're waiting to see the support that spring data will provide?

[spring-projects-issues]

Rob Winch said:

I'm coordinating with the Spring Data team to get our requirements. The problem, as usual, is that we don't have enough resources to do everything. Please do vote on the Spring Data issue to ensure it gets prioritized.

NOTE: We are including SEC-2676 in 4.0.x which will allow custom queries based on Spring Security's current user.

[spring-projects-issues]

Pedro Vilaça said:

I've been thinking about this problem for a while and I'm not sure if this feature won't point us to the wrong direction when we're designing a system with ACLs.

Is it correct to write code that will completely depend on the ACLs system? Let's talk about a real example.. Is it correct that a method that is responsible to retrieve all the "Objects" (for a given entity) that a User can access, use the ACLs to deliver those objects and not all the objects that exist in the database?

I really appreciate the separation of concerns that is described on the docs but if we decide to implement the described behaviour, that separation doesn't exist anymore. So, I'm wondering if we shouldn't consider that ACLs are just an extra level of security and not something that is used as part of the business logic.

What do you think?