Extension to ACL in Spring Security

Hi,

First of all thanks for coming with a very nice book.

I have one question that just like in Spring security we have ACLs in our firm we have our own group management that is enterprise user control list. Our system exposes some API to applications useing it and also connects to LDAP for lot of info.

Is there any provision to extend the concept of ACL, so that if in future if we plan to implement spring security at enterprise level it could be easier for us.

As we discovered that spring security provides a lot of features around ACL and LDAP. We already use Spring in most of our applications so it could be a new milestone in our security system.

Thanks
Sourabh Girdhar

Hi Sourabh,

Thanks for the compliments!

The Spring Security ACL subsystem is certainly intended to be extended (in the truest OO sense) to develop whatever functionality your business unit might need. It comes out of the box with a very flexible system of inheritance and user/group/data relationship modeling that is likely to satify many common scenarios.

That said, it's very complex code which is written in a different style than most of the rest of Spring Security, and many new developers have a hard time getting their heads around it, so please do keep in mind the learning curve when rolling this out, especially to more junior developers.

The difficulty of understanding this part of the framework is one of the reasons I felt strongly about dedicating a whole chapter to ACLs in the book - this wasn't originally what I planned, but after reviewing the complexity of the code, I felt that I couldn't do justice to explaining it without having (checking my notes) about 35 pages of material on it

Hope that answers your question!

Best,
Peter

Thanks Peter !!
That answers my question in a perfect way and hopefully we shall be able to integrate Spring security after digging into more details through your book and Spring reference.

Thanks and Cheers

Sourabh

can i have reference to that book..