While building platforms or frameworks, it may be required to provide API level security. There are different ways of achieving this.

  1. Role based access – For example, A user with ADMIN role can create/delete users.
  2. Domain-object based access. For example, An user may be given view-only access to some set of files. So this user will be denied access to create/update/delete APIs.

Spring Security provides a nice set of abstractions for achieving this. This topic will focus on the following

  1. Various APIs of Spring Security helping us to achieve API level security
  2. How to leverage Spring Security ACL features with an existing data-model (instead of using OOB model)
  3. Some practical applications
  4. Recommended Design. For example, out-of-the-box Spring Security ACL library require a set of ACL tables, where the Ids of the Domain Objects are stored with permissions. If the Domain Object gets removed from the system, we may need to remove it references from the ACL table as well. How to do it ?.
  5. Using Spring Security with JPA/Hibernate

ACL Tables

The list of tables Spring Security API expects in the database are as shown below.

Spring Security ACL Table Model