1 Introduction to the Spring Security ACL Plugin

The core plugin and other extension plugins support restricting access to URLs via rules that include checking a user's authentication status, roles, etc. and the ACL plugin extends this by adding support for restricting access to individual domain class instances. The access can be very fine-grained and can define which actions can be taken on an object - these typically include Read, Create, Write, Delete, and Administer but you're free to define whatever actions you like.

To learn about using ACLs in Grails, you can follow guide:3. Tutorial and in addition you can download and run a complete Grails application that uses the plugin. Installing and running the application are described guide:4. Sample Application.

In addition to this document, you should read the Spring Security documentation here.

1.1 History

History

• December 20, 2015
• 2.0.1 release
• December 7, 2015
• 2.0.0 release
• November 17, 2014
• 2.0-RC2 release
• October 08, 2013
• 2.0-RC1 release
• August 20, 2012
• 1.1.1 release
• February 16, 2011
• 1.1 release
• February 7, 2011
• 1.0.2 release
• August 1, 2010
• 1.0.1 release
• July 27, 2010
• 1.0 release
• May 22, 2010
• initial 0.1 release

Authors

Burt Beckwith

Previous work

Stephan February did the first work adding ACL support to the Acegi plugin. At the time the plugin was based on Acegi 1.0.x and around the same time the plugin was converted to use Spring Security 2.0 and the ACL support wasn't converted to use the new package layout and approach.

Work was done in 2009 to create a GORM-based implementation (the standard Spring Security implementation uses JDBC). Around the same time, Phillip Merensky mentioned on the Grails mailing list that he was working on an implementation. He wrote about his approach here and this was merged in with the other approach but never formally released.

This plugin builds on that work but is based on Spring Security 3 and Spring 3.