Spring Security also provides domain object level security in addition to the other types of security discussed in this Spring Security blog series. In simple terms, ACL provides a way to specify permissions based on a combination of role, business object (referred to as domain object) and permissions. For example, if you want to grant a user read permission based on their role, on their own user data, you would use ACL security.
Spring Security’s ACL services are shipped in the
spring-security-acl-xxx.jar. You will need to add this JAR to your classpath to use Spring Security’s domain object instance security capabilities.
Spring Security’s domain object instance security capabilities centre on the concept of an access control list (ACL). Every domain object instance in your system has its own ACL, and the ACL records details of who can and can’t work with that domain object.
In order to secure various domain objects, you must create ACL Tables. I have provided the SQL for creating ACL Tables here: