Spring Security

1. Overview

By using the Big ACL Spring Security Connector, you can:

• Keep your application logic simpler by externalizing access control.

• Use Spring Security annotations for method- and endpoint-level security.

• Rely on Big ACL to evaluate access decisions without having to implement custom logic in your application.

This integration is particularly helpful when you have multiple services or microservices that need consistent security policies enforced by a single authorization engine.

2. Prerequisites

• Spring Boot (version 3.x) and Spring Security already set up in your application.

• A Big ACL account or instance running that you can connect to.

• Basic knowledge of how to secure methods or endpoints in Spring (e.g., @PreAuthorize annotations).

3. Installation

1. Add the connector dependency to your pom.xml or build.gradle.

   Maven:

   Copy

   <dependency>
       <groupId>com.bigacl</groupId>
       <artifactId>bigacl-spring-security-connector</artifactId>
       <version>1.0.0</version>
   </dependency>

   Gradle:

   Copy

   gradleCopyEditimplementation 'com.bigacl:bigacl-spring-security-connector:1.0.0'

2. Enable annotation-based security in your application. Ensure you have @EnableGlobalMethodSecurity(prePostEnabled = true) (for Spring Security 5.x) or @EnableMethodSecurity (for Spring Security 6.x) in your configuration class. For example:

   Copy

   @Configuration
   @EnableGlobalMethodSecurity(prePostEnabled = true)
   public class SecurityConfig extends WebSecurityConfigurerAdapter {
       // ...
   }

   or, if you’re using Spring Security 6+:

   Copy

   @Configuration
   @EnableMethodSecurity
   public class SecurityConfig {
       // ...
   }

4. Configuration

1. Application Properties Provide the necessary connection parameters so that your application can communicate with Big ACL. For example, in application.properties (or application.yml):

   Copy

   # Big ACL connection details
   bigacl.url=https://api.bigacl.com
   bigacl.api-key=YOUR_API_KEY

   Adjust property names according to how your connector is configured to read them (these might differ based on your internal naming conventions).

2. Bean Registration BigAclPermissionEvaluator is the core component that delegates permission checks to the Big ACL platform.

   Copy

   @Configuration
   public class BigAclConfig {
       @Bean
       public PermissionEvaluator bigAclPermissionEvaluator() {
           return new BigAclPermissionEvaluator();
       }
   }

5. Usage in Code

Once everything is configured, you can use standard Spring Security annotations (e.g., @PreAuthorize) to guard your controller methods. For example:

@RestController
@RequestMapping("/folders")
public class FolderController {

    @GetMapping("/{id}")
    @PreAuthorize("hasPermission(#id, 'Folder', 'read')")
    public ResponseEntity<Folder> getFolder(@PathVariable long id) {
        // Your business logic for fetching the folder, e.g.:
        Folder folder = folderService.findById(id);
        return ResponseEntity.ok(folder);
    }

    // Additional endpoints...

}

How hasPermission Works

• The hasPermission(#id, 'Folder', 'read') expression tells Spring Security to call the BigAclPermissionEvaluator to check whether the current user has the 'read' permission on a 'Folder' resource identified by #id.

• The #id is an argument from the method’s parameters (in this case, the folder ID from the path).

• You can adapt the arguments to match your resource naming or your domain model in Big ACL (e.g., 'File' vs 'Folder', etc.).