Skip navigation

Access Control List (ACL) is a way to control access for user in an application. This page contains Access Control List sample using Java, this article show an ACL demo application in Java web application, that i hope will make better understanding of what Access Control List (ACL) is. You can find resources that will explain what ACL is, but i think demo application is more effective for understanding about ACL.

Download ACL demo application from ziddu and 4shared, it’s a Java web application, furthermore it’s Songs database application. The application is using following technology/library : JSP, Servlet, EL, Hibernate/JPA. For simplicity, i’m using JSP and servlet for presentation layer and controller, and Hibernate for database layer so i dont have to deal with SQL (i hate it :p ). This application is an IntelliJ IDEA project, you need to re-create project if you are using Eclipse or Netbeans, and add the classes/library accordingly. I use Apache Tomcat 6 for application server.

Note: Because Tomcat is actually a Servlet container rather Application Server (e.g Glassfish, Geronimo, JBoss, etc), basically Tomcat dont have Java EE library, while i’m using Hibernate/JPA annotations (for object-table database mapping) which is using Java EE library, you need to place javaee.jar in “<TOMCAT_HOME>/lib” folder before running tomcat, DO NOT put javaee.jar in application lib directory, it’s against Java Servlet specification

You may want to edit “hibernate.cfg.xml” first to match your environtment. I’m using Mysql database for this demo. Before running the application please run “acl.demo.util.SetUpACLDemoData” class, this class will set up the data on database so the application can run. Now run the application server, open the browser and go to http://localhost:8080/ACLDemo, this will open login page.
Login page

We can’t see other page if we hasn’t login, I create a SecurityFilter class for this, it’s a Servlet Filter that will intercept all request, checked whether there’s user session in session, if it’s not it will send us to login page.

To login, we can use one of the following account:
- admin/admin (Administrator)
- zidane/password (SuperAdministrator)
- kabayan/kabayan (DataEntry)
- tamara/tamara (Administrator)

The one in the parentheses is the type of a user. Type of a user will determine his/her rights of accessing something (e.g resources, page, module, etc), different user type will have different rights for accessing some pages (e.g “DataEntry” user can’t access “Administrator” level page). You can try to login with above different account and see not all the user have the same rights access. We will examine how this is happen, this is what Access Control List is.

Now login as “SuperAdministrator” so we can see all the page/module. As mention earlier this demo is a Songs database application, it’s had modules such as “Song”, “Album”, “Singer”, and “Genre”, which actually is a dummy page. It’s static, I don’t get the data from database and there’s no corresponding table also. Other modules is “ACL”, “Users”, and “UserType”, which corresponding to what we are talking about, the Access Control List (ACL). We retrieve the data from databases, as well we can add or edit, but for simplicity i don’t add delete/remove functionality. Module “ACL”, “Users”, and “UserType” are important component in this version of ACL’s, they collaborate each other determine how a user have the rights to access a modules or to do some action (e.g Insert, Update, Delete).

index.jsp

This is the dummy modules:

This is the corresponding ACL’s modules:
UserType

User

Access Control List

In this demo to manage an ACL we start by creating a user type then assign that user type to some user. Everytime we make new user type, the application also make ACL’s for that user type. Let’s make a “UserType” that i will called it “Editor” and see what happen.

Add UserType

ACL

After we save the “Editor” user type, it will redirect us to ACL page. We can see there’s ACL’s for “Editor” user type created by application for us, what we only need to set is what modules and what action that the “Editor” can access. Let’s say I just want the “Editor” has the rights to update/edit every module except administrator level module, I’ll set the ACL’s for “Editor” like below picture (note: module “ACL” and “User” is administrator level module)

ACL

Then make a User and assign the “Editor” user type to him/her (I do not add functionality to edit user type of a User). My new user will look like this:
Add User

List User

Please logout and login as “Editor” user. We can see that the menu in front page is not as complete as Administrator user, also the user can’t add new or delete record.

Index.jsp Songs Albums Singers Genres

Now let we examine the code. The code structure look like this:
Code structure

Now let’s see why  some buttons or links can “missing” or display according to type of  user account. In almost every buttons or links that I want to restrict, I put code something like this;

....
<c:if test="<%=aclManager.allowUpdate(session, Permission.ACL)%>">
      <a class="toplink" href="deleteSong.jsp?code=S0001">delete</a>
</c:if>
....
....
<c:if test="<%=aclManager.allowDelete(session, Permission.SONG)%>">
	<input class="kotaktombol" name="save" type="submit" value="Save" />
</c:if>
....

aclManager” is a “acl.demo.manager.AccessControlListManager” class, because I know that there’s “acl.demo.entity.UserSession” object on the Session, i just send “session” object as parameter to method like “allowView”, “allowInsert”, etc, to determine the user type. The “acl.demo.enums.Permission” is to determine the existing modules and what module the page is.
AccessControlListManager

package acl.demo.manager;

import acl.demo.entity.AccessControlList;
import acl.demo.entity.UserType;
import acl.demo.entity.UserSession;
import acl.demo.enums.Permission;
import acl.demo.util.HibernateUtil;

import javax.servlet.http.HttpSession;
import java.util.List;

public class AccessControlListManager extends BaseManager {
    public AccessControlList newAccessControlList() throws Exception {
        return new AccessControlList();
    }

    public AccessControlList get(Long id) throws Exception {
        return (AccessControlList) getEntity(AccessControlList.class, id);
    }

    public AccessControlList save(AccessControlList entity) throws Exception {
        saveEntity(entity);

        return entity;
    }

    public AccessControlList update(AccessControlList entity) throws Exception {
        updateEntity(entity);

        return entity;
    }

    public void delete(AccessControlList entity) throws Exception {
        deleteEntity(entity);
    }

    public List listAll() throws Exception {
        return listAll(AccessControlList.class);
    }

    public AccessControlList getByUserTypeAndPermission(UserType userType, Permission permission) throws Exception {
        StringBuffer query = new StringBuffer("from AccessControlList acl ");
        query.append("where acl.userType = :userType and acl.permission = :permission");

        AccessControlList acl = (AccessControlList) HibernateUtil.getSession().createQuery(query.toString())
                .setParameter("userType", userType).setParameter("permission", permission)
                .uniqueResult();

        return acl;
    }

    ..........

    public boolean allowView(HttpSession session, Permission permission) throws Exception {
        return this.getByUserTypeAndPermission(((UserSession) session.getAttribute("userSession")).getUser().getUserType(), permission).isCanView();
    }

    public boolean allowInsert(HttpSession session, Permission permission) throws Exception {
        return this.getByUserTypeAndPermission(((UserSession) session.getAttribute("userSession")).getUser().getUserType(), permission).isCanInsert();
    }

    public boolean allowUpdate(HttpSession session, Permission permission) throws Exception {
        return this.getByUserTypeAndPermission(((UserSession) session.getAttribute("userSession")).getUser().getUserType(), permission).isCanUpdate();
    }

    public boolean allowDelete(HttpSession session, Permission permission) throws Exception {
        return this.getByUserTypeAndPermission(((UserSession) session.getAttribute("userSession")).getUser().getUserType(), permission).isCanDelete();
    }
}

Permission

package acl.demo.enums;

public enum Permission { SONG, SINGER, ALBUM, GENRE, USER, ACL }

UserSession

package acl.demo.entity;

import java.util.Date;

public class UserSession {
    private User user;
    private Date loginTime;

    public User getUser() {
        return user;
    }

    public void setUser(User user) {
        this.user = user;
    }

    public Date getLoginTime() {
        return loginTime;
    }

    public void setLoginTime(Date loginTime) {
        this.loginTime = loginTime;
    }
}

For object-table mapping I use Hibernate/JPA annotations.
User

package acl.demo.entity;

import javax.persistence.*;

@Entity
@Table(name = "USERS")
public class User {
    private Long id;
    private String username;
    private UserType userType;
    private String password;

    @Id
    @GeneratedValue
    @Column(name = "ID")
    public Long getId() {
        return id;
    }

    public void setId(Long id) {
        this.id = id;
    }

    @Basic
    @Column(name = "USERNAME")
    public String getUsername() {
        return username;
    }

    public void setUsername(String username) {
        this.username = username;
    }

    @ManyToOne(targetEntity = UserType.class)
    @JoinColumn(name = "USER_TYPE_ID")
    public UserType getUserType() {
        return userType;
    }

    public void setUserType(UserType userType) {
        this.userType = userType;
    }

    @Basic
    @Column(name = "PASSWORD")
    public String getPassword() {
        return password;
    }

    public void setPassword(String password) {
        this.password = password;
    }

    public String toString() {
        StringBuffer sb = new StringBuffer();
        sb.append("[ID=" + this.getId());
        sb.append(", USERNAME=" + this.getUsername());
        sb.append(", USERTYPE=" + this.getUserType().getType());
        sb.append(", PASSWORD=" + this.getPassword());
        sb.append("]");

        return sb.toString();
    }
}

UserType

package acl.demo.entity;

import javax.persistence.*;
import java.util.List;
import java.util.ArrayList;

@Entity
@Table(name = "USER_TYPE")
public class UserType {
    private Long id;
    private String type;
    private List<User> users = new ArrayList<User>();

    @Id
    @GeneratedValue
    @Column(name = "ID")
    public Long getId() {
        return id;
    }

    public void setId(Long id) {
        this.id = id;
    }

    @Basic
    @Column(name = "TYPE")
    public String getType() {
        return type;
    }

    public void setType(String type) {
        this.type = type;
    }

    @OneToMany(targetEntity = User.class, mappedBy = "userType")
    public List<User> getUsers() {
        return users;
    }

    public void setUsers(List<User> users) {
        this.users = users;
    }

    public String toString() {
        StringBuffer sb = new StringBuffer();
        sb.append("[ID=" + this.getId());
        sb.append(", TYPE=" + this.getType());
        sb.append(", USERS=" + this.getUsers());
        sb.append("]");

        return sb.toString();
    }

AccessControlList

package acl.demo.entity;

import acl.demo.enums.Permission;

import javax.persistence.*;

@Entity
@Table(name = "ACCESS_CONTROL_LIST")
public class AccessControlList {
    private Long id;
    private Permission permission;
    private UserType userType;
    private boolean canView;
    private boolean canInsert;
    private boolean canUpdate;
    private boolean canDelete;

    @Id
    @GeneratedValue
    @Column(name = "ID")
    public Long getId() {
        return id;
    }

    public void setId(Long id) {
        this.id = id;
    }

    @Enumerated(value = EnumType.STRING)
    @Column(name = "PERMISSION")
    public Permission getPermission() {
        return permission;
    }

    public void setPermission(Permission permission) {
        this.permission = permission;
    }

    @ManyToOne(targetEntity = UserType.class)
    @JoinColumn(name = "USER_TYPE_ID")
    public UserType getUserType() {
        return userType;
    }

    public void setUserType(UserType userType) {
        this.userType = userType;
    }

    @Basic
    @Column(name = "CAN_VIEW")
    public boolean isCanView() {
        return canView;
    }

    public void setCanView(boolean canView) {
        this.canView = canView;
    }

    @Basic
    @Column(name = "CAN_INSERT")
    public boolean isCanInsert() {
        return canInsert;
    }

    public void setCanInsert(boolean canInsert) {
        this.canInsert = canInsert;
    }

    @Basic
    @Column(name = "CAN_UPDATE")
    public boolean isCanUpdate() {
        return canUpdate;
    }

    public void setCanUpdate(boolean canUpdate) {
        this.canUpdate = canUpdate;
    }

    @Basic
    @Column(name = "CAN_DELETE")
    public boolean isCanDelete() {
        return canDelete;
    }

    public void setCanDelete(boolean canDelete) {
        this.canDelete = canDelete;
    }

    @Override
    public String toString() {
        StringBuffer sb = new StringBuffer();
        sb.append("[ID=" + this.getId());
        sb.append(", PERMISSION=" + this.getPermission());
        sb.append(", USERTYPE=" + this.getUserType().getType());
        sb.append(", CAN_VIEW=" + this.isCanView());
        sb.append(", CAN_INSERT=" + this.isCanInsert());
        sb.append(", CAN_UPDATE=" + this.isCanUpdate());
        sb.append(", CAN_DELETE=" + this.isCanDelete());
        sb.append("]");

        return sb.toString();
    }
}

hibernate.cfg.xml

<hibernate-configuration>
    <session-factory>
        <property name="connection.url">jdbc:mysql://localhost:3306/test</property>
        <property name="connection.driver_class">com.mysql.jdbc.Driver</property>
        <property name="connection.username">root</property>
        <property name="connection.password">root</property>
        <!-- DB schema will be updated if needed -->
        <property name="hbm2ddl.auto">update</property>

        <!-- MAPPING -->
        <mapping class="acl.demo.entity.UserType" />
        <mapping class="acl.demo.entity.User" />
        <mapping class="acl.demo.entity.AccessControlList" />
    </session-factory>
</hibernate-configuration>

SecurityFilter looks like this:

package acl.demo.servlet.filter;

import acl.demo.entity.UserSession;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;

public class SecurityFilter implements Filter {
    public void destroy() {
    }

    public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws ServletException, IOException {
        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) resp;
        HttpSession session = request.getSession(false);

        System.out.println("[SecurityFilter] ServletPath : " + request.getServletPath());
        if(!request.getServletPath().equalsIgnoreCase("/login") &&
                !request.getServletPath().equalsIgnoreCase("/logout") &&
                !request.getServletPath().equalsIgnoreCase("/loginForm.jsp") &&
                !request.getServletPath().equalsIgnoreCase("/css/format.css")) {
            if(session != null) {
                UserSession userSession = (UserSession) session.getAttribute("userSession");

                if(userSession == null) {
                    System.out.println("[SecurityFilter] userSession : " + userSession);
                    request.setAttribute("message", "Please login first!");
                    request.getRequestDispatcher("/loginForm.jsp").forward(request, response);
                    return;
                }
            } else {
                request.setAttribute("message", "Please login!");
                request.getRequestDispatcher("/loginForm.jsp").forward(request, response);
                return;
            }
        }

        chain.doFilter(req, resp);
    }
}

This is a simple example of an Access Control List (ACL) presented in Java, you can dowload it from here and here

15 Comments

  1. I don’t know why people haven’t commented yet, even if it’s simple it’s really great, learned a lot from this I needed something like this for my web app.

    Also, you might want to look at Play! Framework (java RESTful webframework) if you are tired of same-old web frameworks :)

    • Hi david, thanks for the comment.
      Play! Framework look promising.. I will take a look.

      Regards,

  2. Do you have a quick tutorial on how to run the “acl.demo.util.SetUpACLDemoData” class

  3. If you are using IDE you can right click the file and run. It’s a Java main class. Dont forget to include all library required, especially Hibernate.

  4. hello. . there is no tables creation.., and database terms.., how to we create database for this application., clarify., fast

    • Have you run acl.demo.util.SetUpACLDemoData ?
      Have you edit hibernate.cfg.xml first ?

  5. hey i run the SetupACLDemoData class …the database is up and running fine with sample data installed …and also the project is running fine..bt afte running it does not perform the login function..i am using the netbeans ide and have set al the parameters properly as directed by the article..yet the login page redirects me to a blank page with no clue about anything..plzz help me…:(

    • I think it had something to do with the libraries, have u put javaee.jar in “/lib” (for tomcat)?
      Have u check all the libraries? and what about the logs said?

      Thanks,

        • Manoj
        • Posted January 3, 2012 at 4:33 pm
        • Permalink

        no the server is glassfish 3.1 on netbeans 7.0 ide…the libraries are added to the /lib folder…only in netbeans project only..still the problem persists..

  6. hey i figured out wats the problem upon running now i changed the code for exception handling and printed the stacktrace and i got this thing
    type Exception report

    message

    descriptionThe server encountered an internal error () that prevented it from fulfilling this request.

    exception

    javax.servlet.ServletException: Login failed
    root cause

    org.hibernate.NonUniqueResultException: query did not return a unique result: 4
    note The full stack traces of the exception and its root causes are available in the GlassFish Server Open Source Edition 3.1 logs.
    can u help me telling wats going on it keeps on saying that query did not return unique result even when i removed all users with entry admin in database..plzz help me out i tried all possible ways bt it still is problematic

  7. hey got the problem just now..its showing the duplicate entries due to duplicate names in id field in the user_type table so there were clashes between 5 admins….i removed those records ..recreated the tables fresh and then inserted step by step records for the 4 main types of user and here the application allowed me to login…i think u shud chek ur setupuser data file…..maybe there are some conflicts inside it..which i correctd…thanxx fr such a beatiful tutorial….i am finding it useful for my final year web based project…..its cool..and easy to understand …thanx very much

  8. Hi. Thank you for your excellent tutorial.

  9. Highly energetic article, I enjoyed that a
    lot. Will there be a part 2?

  10. Hi,

    It is easy to resue.
    Thanks for sharing this wonderfull coding


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: