I am working on a business application that uses Spring ACL and I want to have granular permissions on specific domain objects.
According to this post, roles and permissions are essentially the same thing in Spring ACL. The conceptual difference in my mind is that a role has 1 or more other granted authorities or a hierarchy of permissions and a permission is just a role that is not within any hierarchy.
So I want OP_USER_MANAGEMENT_PERM to be a permission that can be granted and it allows users to manage other users in this application. Any user, including regular users should be able to perform these actions when they have the OP_USER_MANAGEMENT_PERM permission granted to their account.
I have most of it working but I am stuck on understanding aclAuthorizationStrategy. For some reason if I do not have:
<bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
<constructor-arg value="OP_USER_MANAGEMENT_PERM"/>
</bean>
in this:
<bean id="aclAuthorizationStrategy" class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl">
<constructor-arg>
<list>
<bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
<constructor-arg value="ROLE_ADMIN"/>
</bean>
<bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
<constructor-arg value="ROLE_ADMIN"/>
</bean>
<bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
<constructor-arg value="OP_USER_MANAGEMENT_PERM"/>
</bean>
</list>
</constructor-arg>
</bean>
then the application won't allow normal users with OP_USER_MANAGEMENT_PERM to change the permissions for other users because I get this error org.springframework.security.acls.model.NotFoundException: Unable to locate a matching ACE for passed permissions and SIDs
but when I add that block it works? Is this ok?
