Take a look at the interface ObjectIdentity. It represents object that is protected in the system.
/**
* Obtains the actual identifier. This identifier must not be reused to represent other domain objects with
* the same javaType.
*
* Because ACLs are largely immutable, it is strongly recommended to use
* a synthetic identifier (such as a database sequence number for the primary key). Do not use an identifier with
* business meaning, as that business meaning may change in the future such change will cascade to the ACL
* subsystem data.
*
* @return the identifier (unique within this type; never null)
*/
Serializable getIdentifier();
/**
* Obtains the "type" metadata for the domain object. This will often be a Java type name (an interface or a class)
* – traditionally it is the name of the domain object implementation class.
*
* @return the "type" of the domain object (never null).
*/
String getType();
As you can see Spring Security uses Serializable to describe type of the identifier.
So it is possible to use String with class name.
You would need to update SQL schema as authors of Spring Security assumed that most people would identify objects by long/integer ids.
create table acl_object_identity(
...
object_id_class bigint not null,
object_id_identity bigint not null,
As I checked, JdbcMutableAclService is able to handle that customization as it uses only ObjectIdentity interface.
Study the source code of the org.springframework.security.acls packages.
