👩‍🏫
Big ACL Docs
big-acl.comStatusSupport
  • Welcome
  • What is Big ACL ?
  • Getting started
    • Signing up
    • Authoring your first rule
    • Writing Effective Rules
  • Key Concepts
    • Lifecycle of an Authorization Rule
    • Managing Exceptions
  • Authorization Landscape
    • RBAC
    • ABAC
    • ReBAC
    • CEDAR
    • XACML
    • Zanzibar
    • OAuth 2.0 Rich Authorization Requests
  • API
    • Authentication
    • Authorization
  • Connectors
    • Spring Security
    • Open Policy Agent
    • Amazon Verified Permissions
Powered by GitBook
On this page
  • 1. Overview
  • 2. Prerequisites
  • 3. Installation
  • 4. Configuration
  • 5. Usage in Code

Was this helpful?

  1. Connectors

Spring Security

Integrate Big ACL with Spring Security

1. Overview

By using the Big ACL Spring Security Connector, you can:

  • Keep your application logic simpler by externalizing access control.

  • Use Spring Security annotations for method- and endpoint-level security.

  • Rely on Big ACL to evaluate access decisions without having to implement custom logic in your application.

This integration is particularly helpful when you have multiple services or microservices that need consistent security policies enforced by a single authorization engine.

2. Prerequisites

  • Spring Boot (version 3.x) and Spring Security already set up in your application.

  • A Big ACL account or instance running that you can connect to.

  • Basic knowledge of how to secure methods or endpoints in Spring (e.g., @PreAuthorize annotations).

3. Installation

  1. Add the connector dependency to your pom.xml or build.gradle.

    Maven:

    <dependency>
        <groupId>com.bigacl</groupId>
        <artifactId>bigacl-spring-security-connector</artifactId>
        <version>1.0.0</version>
    </dependency>

    Gradle:

    gradleCopyEditimplementation 'com.bigacl:bigacl-spring-security-connector:1.0.0'
  2. Enable annotation-based security in your application. Ensure you have @EnableGlobalMethodSecurity(prePostEnabled = true) (for Spring Security 5.x) or @EnableMethodSecurity (for Spring Security 6.x) in your configuration class. For example:

    @Configuration
    @EnableGlobalMethodSecurity(prePostEnabled = true)
    public class SecurityConfig extends WebSecurityConfigurerAdapter {
        // ...
    }

    or, if you’re using Spring Security 6+:

    @Configuration
    @EnableMethodSecurity
    public class SecurityConfig {
        // ...
    }

4. Configuration

  1. Application Properties Provide the necessary connection parameters so that your application can communicate with Big ACL. For example, in application.properties (or application.yml):

    # Big ACL connection details
    bigacl.url=https://api.bigacl.com
    bigacl.api-key=YOUR_API_KEY

    Adjust property names according to how your connector is configured to read them (these might differ based on your internal naming conventions).

  2. Bean Registration BigAclPermissionEvaluator is the core component that delegates permission checks to the Big ACL platform.

    @Configuration
    public class BigAclConfig {
        @Bean
        public PermissionEvaluator bigAclPermissionEvaluator() {
            return new BigAclPermissionEvaluator();
        }
    }

5. Usage in Code

Once everything is configured, you can use standard Spring Security annotations (e.g., @PreAuthorize) to guard your controller methods. For example:

@RestController
@RequestMapping("/folders")
public class FolderController {

    @GetMapping("/{id}")
    @PreAuthorize("hasPermission(#id, 'Folder', 'read')")
    public ResponseEntity<Folder> getFolder(@PathVariable long id) {
        // Your business logic for fetching the folder, e.g.:
        Folder folder = folderService.findById(id);
        return ResponseEntity.ok(folder);
    }

    // Additional endpoints...

}

How hasPermission Works

  • The hasPermission(#id, 'Folder', 'read') expression tells Spring Security to call the BigAclPermissionEvaluator to check whether the current user has the 'read' permission on a 'Folder' resource identified by #id.

  • The #id is an argument from the method’s parameters (in this case, the folder ID from the path).

  • You can adapt the arguments to match your resource naming or your domain model in Big ACL (e.g., 'File' vs 'Folder', etc.).

PreviousConnectorsNextOpen Policy Agent

Last updated 2 months ago

Was this helpful?