I am in the process of implementing Spring Security into an existing application, which creates users, assigns roles and et al via a web portal. In the process of finding the best suited security for the web services and portal, I am deeply impressed with the Spring Security's ACL. However I have this basic doubt.
ACL in SS4 can be configured through a database. Found a tutorial which helps me achieve the same, but I feel that this way of configuring requires a lot of hard wiring into the database as it is completely data driven. Every user when created, would require a set of Domain Object level accesses allowed / restricted (inserting and updating rows of data into acl tables) and this will need to repeated for every user. This is much easier achieved using @PreAuthorize and @PostAuthorize annotations in the code (via SPEL) than through the database's data driven approach.
Is it possible for ACL to be configured in DB as per the roles assigned to them, than defining access for each object for each user?
