• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Liutauras Vilda
  • Paul Clapham
  • paul wheaton
  • Tim Cooke
  • Henry Wong
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Piet Souris
  • Mike London

Can I define public permissions in Spring Security ACL?

Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am working on an JEE 7 application, whose initial code was generated with generjee. Generjee generates application security based on the Apache Shiro library. One disadvantage of Shiro is the missing ability to grand a "public" right to a certain permission. Put simply, I want to grant the permission "article:read" to all users, may they be logged in or not logged in.
The code uses workarounds for public permissions and developers need to know multiple code positions they must change to make a permission public.

Now I am considering if switching to Spring Security could be an option. This are my questions:
  • Is it possible to use only the Spring Security Library isolated (without the entire Spring Framework) in an application built by generjee (JEE7, JSF/Primefaces, CDI, JPA)?
  • Does Spring security have built-in support for ACL where I can just define permissions as "public" at only one single configuration place? Permission check must be available for URLs and also per API like .hasPermission("article:read").

    Rest with Spring Software Support
    Posts: 35
    Eclipse IDE Spring Java
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    Hey Jamie - that's an interesting question.
    First off - sure, Spring Security natively supports making an operation public - you don't need any work-arounds to do that.
    Next - yes, it's definitely possible to use Spring Security for a non-Spring app. Spring Security is entirely decoupled and can be set up separately just as well.
    Finally - yes, ACL is supported out of the box in the framework. You won't need to if you just want to make things public though - that can be handled simply with a Spring expression that allows all access.
    Hope that clears things up. Cheers,
    Don't get me started about those stupid light bulbs.
      Bookmark Topic Watch Topic
    • New Topic