ACL Security Question

[bkraut]

Hi,

we are using hibernate for our ORM in our Spring application. I read that we should avoid ORM based implementation for ACL based security because of performance. We implemented it anyway as it is crucial for us that we are database independent. Everything works but I have an architecturl question:

When do I have to fill ACL based tables? Do I have to update and insert into ACL on every persistent record update or insert? As I've seen I need mandatory ACL record for each persitent entity although it does not have any ACLControlEntry records.

[arthomps]

Hi,

When do I have to fill ACL based tables? Do I have to update and insert into ACL on every persistent record update or insert? As I've seen I need mandatory ACL record for each persitent entity although it does not have any ACLControlEntry records.

Just as an fyi, the jdbc implementation is pretty non database specific unless you've customized the the queries. But in answer to your question, you should updated the acls on create, update only if the permissions changed, and delete to remove dead permissions. Also - note there is no table called "ACLControlEntry in the default implementation. But if that's comparable to ACL_ENTRY - then there should be a lot of data in that table - an entry for each permission per entity.

[bkraut]

I understand that jdbc implementation can work on several databases. I really hate to mix technologies and different implementation patterns in the same solution - that was the reason why we implemented it with Hibernate.

Thanks for the answer.