hibernate spring secuirty implementation…

Almost two years ago, I said I would upgrade my my Hibernate-Acegi (Spring Secuirty) implementation to Spring Security’s new(er) ACL service paradigm. Here’s their suggested schema. Below is a class diagram of that paradigm.

Spring Secuirty ACL Paradigm

Back then, none of projects required groups or users to inheriting permissions. I simply gave permissions to the roles and individuals that needed them. So, I used an AffirmativeBased AccessDecisionManager, and placed a RoleVoter before any other AbstractAclVoter. Simple, and it worked. One of my newer projects, however, does require the inheriting permissions.

What else…

Since I always use GUIDs, I still don’t need Spring Security to know the the domain class. But I’d like to utilize the new auditing feature. I’d also like to turn on and off auditing at the permission entry level. All in all, the upgrade wasn’t too bad at all. I had move some code from the SimpleAclEntry (deprecated) to the BasePermission. I actually extended the BasePermission, as the javadocs suggest.

Spring-Security’s distributed example code uses JDBC. Which is fairly straight-forward. It keeps a good amount of the information on the acl entry table. Thus no real need for a parent acl table. Well, since I’m using Hibernate, a few things automatically change:

  • Built-in 2nd level caching (ehache for me)
  • Ability to define granular joins and fetches based on the context

Based on those two (three?) items, I was able to normalize a good amount of information back to a new parent table permission (acl?). Now permission entries can focus on one purpose, facilitating a relationship between their parent permission and the target SID (Secure ID). See my pared-down ERD for this:

Hibernate Permission ERD

I’m not big on defining AOP behavior via the newer namespaced expressions. So, in that context, I stayed with what I had before. Some other things have been deprecated, such as BasicAclEntryAfterInvocationProvider, in favor of AclEntryAfterInvocationProvider. Overall, it was pretty painless.

One more thing…

When it comes to ACLs, the was one thing that drives me crazy is having to define the default relationships in SQL scripts. I freaking hate it. Well, I was able to resolve that this time around: Added a task and some delegation to my existing ServletContextListener. At application start, it goes about finding existing objects that need securing, that aren’t already secured. Yeah, that’s great…

Posted in Security | 7 Comments

atmosphere’s glass house…

I was watching MTV Subterranean, and saw this video come on. First time I’ve seen this video, and I really liked it. Now, some videos are creative. That’s nice. But it’s rare that a video is great, and the lyrics to the song are just as creative. Kanye, Common, and a few others are good at this… not too many others.
Anyway, if you have the time, watch the video, but more importantly, listen to the lyrics. Enjoy.

Posted in General | 3 Comments

like a boss…

There’s a rap song by Slim Thugg, called like a Boss. It’s OK. Andy Samberg has his own spin on it, http://www.hulu.com/watch/66312/saturday-night-live-digital-short-like-a-boss. Here’s sample:

Hit on Debra…
… Like a boss

Get rejected…
… Like a boss

Swallow saddness…
… Like a boss

Send some faxes…
… Like a boss

Posted in Funny | 3 Comments

early adopter…

Since I’ve been introduced to WebWork, I was a serious proponent. It was built on some interesting technologies. Implemented some great concepts. Things that are now considered standard for any self-respecting web-mvc framework. After some evolution, WebWorkis now Struts2. Since I considered myself a proponent, I’ve followed most releases. Especially the security-related items.

Recently I decided to leave the 2.0.x series, and upgrade to the 2.1.x path. After a little work, you can piece together the major changes you need to adhere. For me, the biggest change was the built-in Dojo support. As of 2.1, it’s an optional, external module, which is fine. I went about making the changes. Things like changing my theme from Ajax to XHtml. Importing the Dojo taglibs into the necessary pages. Nothing too complicated. More time-consuming than anything.

OK, so I ran into a problem. I worked at it for a good weekend. After banging my head against this one, with no resolution, I sought help on the user-list. No response. None of this really bothered me. What really bothered me was my naiveté.

The affected projects are all on svn. For some reason, I did the upgrade on HEAD. So, after no resolution, I had to revert. Since the upgrade included some other libs (Hibernate-3.3, some Commons modules, etc), I actually had to revert and then reapply some other upgrades.

Regardless of your personal feelings for a framework/library, don’t ever assume it’s going to be that easy! If you have a source control tool, use it. A branch for these upgrades would have made things a bit easier. I used to think branches were for teams larger than 2-3. Yeah, not so much. It’s not a problem to adopt a release/technology early, it’s all in how you do it. Ugh, lesson learned.

Posted in Technical stuff | Leave a comment


OK, no one should have to tell an engineer to use caching. If you’re dealing with non-trivial amounts of data, and have a reasonable requirement for availability, you’ll need caching. The real issue is what, and how. The what depends on your situation. The how? Well, I’ve always thought it was obvious: ehcache. I’ve been using it as my 2nd-level cache provider for years. As cache providers go, it’s done well by me.

Well, now Greg Luck’s taking it to the next level. By moving to a minimum JDK of 1.5, he’ll be able to remove all dependencies. Also, ehcache-1.5 was a performant module. Now, if his figures are right, ehcache-1.6 will truly obliterate its peers. It’s still in beta, 1.6 that is, but check it out.

Posted in Technical stuff | 3 Comments

she does not exist…

Posted in Funny | 2 Comments

I am…

OK, so there’s this video, I am. The song is by Novel, Talib Kweli and Spree Wilson. It’s really uplifting, with some quality lyricism – something that you don’t see too much of now a days. I couldn’t embed it, based on the wishes of the publisher. So check it out at YouTube when you get four minutes – and yes, it’s safe for work.

Here’s a sample of Spree Wilson’s lyrics:

I am the new generation’s beat writer.
The Jack Kerouac influenced – I am the hippy peace fighter.

Posted in General | 1 Comment

for the new year – 2009

I had this list of goals for the new year, last year… I had twelve months, and I accomplished nothing (well, nothing remarkable). Disgusting. Anyway, instead of making a new list of items to learn/try for the new year, I’ll just stick to the old one.

Oh yeah, Merry Christmas and a Happy New Year to you and yours!

Posted in General | 4 Comments

a new start…

OK, I was working at Digital River, but after a very short stint (11 weeks), I was laid off. Yeah…

Fortunately, I have some good friends here in the Twin Cities. Brian V. hooked me up over at Express Scripts. Although the health care industry is not as exciting as e-commerce, their throughput requirements are even larger. So, as it turns out, I’ll get some performance and scaling experience after all.

Posted in General | 2 Comments


It’s only been a few hundred years, since the birth of the United States of America. An experiment in fact. Some see America as the epitome of western ignorance and arrogance. While for others, it’s political asylum. For some, it’s simply a chance to build a better life. Regardless of where you stand, here’s one more thing to add to that list.

Posted in Politics | Leave a comment