Spring Security

Integrate Big ACL with Spring Security

1. Overview

By using the Big ACL Spring Security Connector, you can:

Keep your application logic simpler by externalizing access control.
Use Spring Security annotations for method- and endpoint-level security.
Rely on Big ACL to evaluate access decisions without having to implement custom logic in your application.

This integration is particularly helpful when you have multiple services or microservices that need consistent security policies enforced by a single authorization engine.

2. Prerequisites

Spring Boot (version 3.x) and Spring Security already set up in your application.
A Big ACL account or instance running that you can connect to.
Basic knowledge of how to secure methods or endpoints in Spring (e.g., @PreAuthorize annotations).

3. Installation

Add the connector dependency to your pom.xml or build.gradle.

Maven:

<dependency>
    <groupId>com.bigacl</groupId>
    <artifactId>bigacl-spring-security-connector</artifactId>
    <version>1.0.0</version>
</dependency>

Gradle:

gradleCopyEditimplementation 'com.bigacl:bigacl-spring-security-connector:1.0.0'

Enable annotation-based security in your application. Ensure you have @EnableGlobalMethodSecurity(prePostEnabled = true) (for Spring Security 5.x) or @EnableMethodSecurity (for Spring Security 6.x) in your configuration class. For example:
```
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    // ...
}
```
or, if you’re using Spring Security 6+:
```
@Configuration
@EnableMethodSecurity
public class SecurityConfig {
    // ...
}
```

4. Configuration

Application Properties Provide the necessary connection parameters so that your application can communicate with Big ACL. For example, in application.properties (or application.yml):
```
# Big ACL connection details
bigacl.url=https://api.bigacl.com
bigacl.api-key=YOUR_API_KEY
```
Adjust property names according to how your connector is configured to read them (these might differ based on your internal naming conventions).

Bean Registration BigAclPermissionEvaluator is the core component that delegates permission checks to the Big ACL platform.

@Configuration
public class BigAclConfig {
    @Bean
    public PermissionEvaluator bigAclPermissionEvaluator() {
        return new BigAclPermissionEvaluator();
    }
}

5. Usage in Code

Once everything is configured, you can use standard Spring Security annotations (e.g., @PreAuthorize) to guard your controller methods. For example:

@RestController
@RequestMapping("/folders")
public class FolderController {

    @GetMapping("/{id}")
    @PreAuthorize("hasPermission(#id, 'Folder', 'read')")
    public ResponseEntity<Folder> getFolder(@PathVariable long id) {
        // Your business logic for fetching the folder, e.g.:
        Folder folder = folderService.findById(id);
        return ResponseEntity.ok(folder);
    }

    // Additional endpoints...

}

How `hasPermission` Works

The hasPermission(#id, 'Folder', 'read') expression tells Spring Security to call the BigAclPermissionEvaluator to check whether the current user has the 'read' permission on a 'Folder' resource identified by #id.
The #id is an argument from the method’s parameters (in this case, the folder ID from the path).
You can adapt the arguments to match your resource naming or your domain model in Big ACL (e.g., 'File' vs 'Folder', etc.).

PreviousConnectors NextOpen Policy Agent

Last updated 4 months ago

Was this helpful?