5

I faced with strange and unexpected situation with Spring Security ACL when tried to create ACL using MutableAclService.createAcl(ObjectIdentity objectIdentity).

The matter is that ObjectIdentity uses Serializable type for identifiers. At the same time my domains use String type for this purpose. Ids are generated in such way:

String id = UUID.randomUUID().toString();

And then I try to add ACL using the following structure:

ObjectIdentity identity = new ObjectIdentityImpl(clazz, id);
aclService.createAcl(identity);

After that I get the following exception:

java.lang.NumberFormatException: For input string: "ad169805-a2d1-4324-ba11-c98cc679e594"

I found that Spring Security ACL uses Long type for identifiers.

So, the questions are:

  1. What are the best practices in such cases (do I need to use, for example, hashcode of my object as an identifier, or smth else)?
  2. Why Serializable is mentioned everywhere, but in fact it must be long?

P.S. And the SQL data types for identifiers are also numbers - bigserial.

alexbt
  • 16,415
  • 6
  • 78
  • 87
Dmitry Dyokin
  • 139
  • 11
  • 1. hascode is not a good ideea, you can have two identity with same hashCode. why you dont use SQL identifier for ObjectIdentity ? It is a garant you have a guarantee that it is unique 2. Posible becouse you use an JdbcAclService implimentation for aclService, you can create your own for custom behavior or extend existing. I recommand to use database identifier. – Vasile Bors Jun 15 '17 at 10:23
  • Did you come up with a solution? – lilalinux Dec 12 '17 at 17:38
  • @lilalinux, as Vasile Bors suggested for the 2nd point is using your own acl implementation. As for the 1st point - whatever you want to use as id. For instance, you can use uuid v4 as String. – Dmitry Dyokin Dec 14 '17 at 12:37

1 Answers1

3

It's been over three years but i will leave this for anyone still struggling with this one:

As of 2017-2018 (especially with from this commit https://github.com/spring-projects/spring-security/commit/6decf1c8ef8e31b0d9de9a2f2b364ce682d8b166#diff-bdb889847e56650fc7c52f9de584ba22 and on) Spring security ACL started implementing classes to solve this problem.

I am currently using Spring Security ACL 5.2.2.RELEASE which narrows down the solution of this problem to 2 simple configurations modifications:

  @Bean
    public LookupStrategy lookupStrategy() {
        BasicLookupStrategy basicLookupStrategy = new BasicLookupStrategy(
                dataSource,
                aclCache(),
                aclAuthorizationStrategy(),
                new ConsoleAuditLogger()
        );
        basicLookupStrategy.setAclClassIdSupported(true); // <--- this line
        return basicLookupStrategy;
    }

    @Bean
    public JdbcMutableAclService aclService() {
        JdbcMutableAclService jdbcMutableAclService = new JdbcMutableAclService(dataSource,lookupStrategy(),aclCache());
        jdbcMutableAclService.setAclClassIdSupported(true); //<-- And this line.
        return jdbcMutableAclService;
    }

When using the above configuration the spring acl assumes you have an extra field in your table "acl_class" called "class_id_type" which holds the information of what type is your entity's ID. For example my PostgreSQL definition for this table is as follows:

create table if not exists acl_class(
    id bigserial not null primary key,
    class varchar(100) not null,
    class_id_type varchar(100),
    constraint unique_uk_2 unique(class)
);
Jodee
  • 156
  • 1
  • 10