What is the best way to connect an ACL with the protected resource?
1) Should the protected resource hold a reference to its ACL?
interface AclHolder {
Acl getAcl();
}
This would be simple, but if the object lives in a database it has to be constructed before it is possible to check access rights.
2) Spring Security uses a mechanism with the fully qualified class name and the object id to attach and retrieve the ACL externally. This could lead to an n+1 select problem, because multiple ACLs cannot be selected by a certain criterion. This system could break if class names change while refactoring.
3) Another way could be to store a reference to the protected resource within the ACL. With lazy loading it would be possible to check the ACL without loading the protected resource from the database.
class Acl<T> {
@Lazy public T protectedResource;
// acl methods ...
}
4) Each object could have a security descriptor (like in windows):
class SecurityDescriptor<T> {
public Acl acl;
@Lazy public T protectedResource;
// ...
}
What is better?
Provisional Solution: I will implement the AclHolder interface since domain objects can implement it and it is also possible to attach ACLs without affecting the domain objects.