Skip navigation

Category Archives: Access Control List

Access Control List (ACL) is a way to control access for user in an application. This page contains Access Control List sample using Java, this article show an ACL demo application in Java web application, that i hope will make better understanding of what Access Control List (ACL) is. You can find resources that will explain what ACL is, but i think demo application is more effective for understanding about ACL.

Download ACL demo application from ziddu and 4shared, it’s a Java web application, furthermore it’s Songs database application. The application is using following technology/library : JSP, Servlet, EL, Hibernate/JPA. For simplicity, i’m using JSP and servlet for presentation layer and controller, and Hibernate for database layer so i dont have to deal with SQL (i hate it :p ). This application is an IntelliJ IDEA project, you need to re-create project if you are using Eclipse or Netbeans, and add the classes/library accordingly. I use Apache Tomcat 6 for application server.

Note: Because Tomcat is actually a Servlet container rather Application Server (e.g Glassfish, Geronimo, JBoss, etc), basically Tomcat dont have Java EE library, while i’m using Hibernate/JPA annotations (for object-table database mapping) which is using Java EE library, you need to place javaee.jar in “<TOMCAT_HOME>/lib” folder before running tomcat, DO NOT put javaee.jar in application lib directory, it’s against Java Servlet specification

You may want to edit “hibernate.cfg.xml” first to match your environtment. I’m using Mysql database for this demo. Before running the application please run “acl.demo.util.SetUpACLDemoData” class, this class will set up the data on database so the application can run. Now run the application server, open the browser and go to http://localhost:8080/ACLDemo, this will open login page.
Login page

We can’t see other page if we hasn’t login, I create a SecurityFilter class for this, it’s a Servlet Filter that will intercept all request, checked whether there’s user session in session, if it’s not it will send us to login page.

To login, we can use one of the following account:
– admin/admin (Administrator)
– zidane/password (SuperAdministrator)
– kabayan/kabayan (DataEntry)
– tamara/tamara (Administrator)

The one in the parentheses is the type of a user. Type of a user will determine his/her rights of accessing something (e.g resources, page, module, etc), different user type will have different rights for accessing some pages (e.g “DataEntry” user can’t access “Administrator” level page). You can try to login with above different account and see not all the user have the same rights access. We will examine how this is happen, this is what Access Control List is.

Now login as “SuperAdministrator” so we can see all the page/module. As mention earlier this demo is a Songs database application, it’s had modules such as “Song”, “Album”, “Singer”, and “Genre”, which actually is a dummy page. It’s static, I don’t get the data from database and there’s no corresponding table also. Other modules is “ACL”, “Users”, and “UserType”, which corresponding to what we are talking about, the Access Control List (ACL). We retrieve the data from databases, as well we can add or edit, but for simplicity i don’t add delete/remove functionality. Module “ACL”, “Users”, and “UserType” are important component in this version of ACL’s, they collaborate each other determine how a user have the rights to access a modules or to do some action (e.g Insert, Update, Delete).

index.jsp

This is the dummy modules:

This is the corresponding ACL’s modules:
UserType

User

Access Control List

In this demo to manage an ACL we start by creating a user type then assign that user type to some user. Everytime we make new user type, the application also make ACL’s for that user type. Let’s make a “UserType” that i will called it “Editor” and see what happen.

Add UserType

ACL

After we save the “Editor” user type, it will redirect us to ACL page. We can see there’s ACL’s for “Editor” user type created by application for us, what we only need to set is what modules and what action that the “Editor” can access. Let’s say I just want the “Editor” has the rights to update/edit every module except administrator level module, I’ll set the ACL’s for “Editor” like below picture (note: module “ACL” and “User” is administrator level module)

ACL

Then make a User and assign the “Editor” user type to him/her (I do not add functionality to edit user type of a User). My new user will look like this:
Add User

List User

Please logout and login as “Editor” user. We can see that the menu in front page is not as complete as Administrator user, also the user can’t add new or delete record.

Index.jsp Songs Albums Singers Genres

Now let we examine the code. The code structure look like this:
Code structure

Now let’s see why  some buttons or links can “missing” or display according to type of  user account. In almost every buttons or links that I want to restrict, I put code something like this;

....
<c:if test="<%=aclManager.allowUpdate(session, Permission.ACL)%>">
      <a class="toplink" href="deleteSong.jsp?code=S0001">delete</a>
</c:if>
....
....
<c:if test="<%=aclManager.allowDelete(session, Permission.SONG)%>">
	<input class="kotaktombol" name="save" type="submit" value="Save" />
</c:if>
....

aclManager” is a “acl.demo.manager.AccessControlListManager” class, because I know that there’s “acl.demo.entity.UserSession” object on the Session, i just send “session” object as parameter to method like “allowView”, “allowInsert”, etc, to determine the user type. The “acl.demo.enums.Permission” is to determine the existing modules and what module the page is.
AccessControlListManager

package acl.demo.manager;

import acl.demo.entity.AccessControlList;
import acl.demo.entity.UserType;
import acl.demo.entity.UserSession;
import acl.demo.enums.Permission;
import acl.demo.util.HibernateUtil;

import javax.servlet.http.HttpSession;
import java.util.List;

public class AccessControlListManager extends BaseManager {
    public AccessControlList newAccessControlList() throws Exception {
        return new AccessControlList();
    }

    public AccessControlList get(Long id) throws Exception {
        return (AccessControlList) getEntity(AccessControlList.class, id);
    }

    public AccessControlList save(AccessControlList entity) throws Exception {
        saveEntity(entity);

        return entity;
    }

    public AccessControlList update(AccessControlList entity) throws Exception {
        updateEntity(entity);

        return entity;
    }

    public void delete(AccessControlList entity) throws Exception {
        deleteEntity(entity);
    }

    public List listAll() throws Exception {
        return listAll(AccessControlList.class);
    }

    public AccessControlList getByUserTypeAndPermission(UserType userType, Permission permission) throws Exception {
        StringBuffer query = new StringBuffer("from AccessControlList acl ");
        query.append("where acl.userType = :userType and acl.permission = :permission");

        AccessControlList acl = (AccessControlList) HibernateUtil.getSession().createQuery(query.toString())
                .setParameter("userType", userType).setParameter("permission", permission)
                .uniqueResult();

        return acl;
    }

    ..........

    public boolean allowView(HttpSession session, Permission permission) throws Exception {
        return this.getByUserTypeAndPermission(((UserSession) session.getAttribute("userSession")).getUser().getUserType(), permission).isCanView();
    }

    public boolean allowInsert(HttpSession session, Permission permission) throws Exception {
        return this.getByUserTypeAndPermission(((UserSession) session.getAttribute("userSession")).getUser().getUserType(), permission).isCanInsert();
    }

    public boolean allowUpdate(HttpSession session, Permission permission) throws Exception {
        return this.getByUserTypeAndPermission(((UserSession) session.getAttribute("userSession")).getUser().getUserType(), permission).isCanUpdate();
    }

    public boolean allowDelete(HttpSession session, Permission permission) throws Exception {
        return this.getByUserTypeAndPermission(((UserSession) session.getAttribute("userSession")).getUser().getUserType(), permission).isCanDelete();
    }
}

Permission

package acl.demo.enums;

public enum Permission { SONG, SINGER, ALBUM, GENRE, USER, ACL }

UserSession

package acl.demo.entity;

import java.util.Date;

public class UserSession {
    private User user;
    private Date loginTime;

    public User getUser() {
        return user;
    }

    public void setUser(User user) {
        this.user = user;
    }

    public Date getLoginTime() {
        return loginTime;
    }

    public void setLoginTime(Date loginTime) {
        this.loginTime = loginTime;
    }
}

For object-table mapping I use Hibernate/JPA annotations.
User

package acl.demo.entity;

import javax.persistence.*;

@Entity
@Table(name = "USERS")
public class User {
    private Long id;
    private String username;
    private UserType userType;
    private String password;

    @Id
    @GeneratedValue
    @Column(name = "ID")
    public Long getId() {
        return id;
    }

    public void setId(Long id) {
        this.id = id;
    }

    @Basic
    @Column(name = "USERNAME")
    public String getUsername() {
        return username;
    }

    public void setUsername(String username) {
        this.username = username;
    }

    @ManyToOne(targetEntity = UserType.class)
    @JoinColumn(name = "USER_TYPE_ID")
    public UserType getUserType() {
        return userType;
    }

    public void setUserType(UserType userType) {
        this.userType = userType;
    }

    @Basic
    @Column(name = "PASSWORD")
    public String getPassword() {
        return password;
    }

    public void setPassword(String password) {
        this.password = password;
    }

    public String toString() {
        StringBuffer sb = new StringBuffer();
        sb.append("[ID=" + this.getId());
        sb.append(", USERNAME=" + this.getUsername());
        sb.append(", USERTYPE=" + this.getUserType().getType());
        sb.append(", PASSWORD=" + this.getPassword());
        sb.append("]");

        return sb.toString();
    }
}

UserType

package acl.demo.entity;

import javax.persistence.*;
import java.util.List;
import java.util.ArrayList;

@Entity
@Table(name = "USER_TYPE")
public class UserType {
    private Long id;
    private String type;
    private List<User> users = new ArrayList<User>();

    @Id
    @GeneratedValue
    @Column(name = "ID")
    public Long getId() {
        return id;
    }

    public void setId(Long id) {
        this.id = id;
    }

    @Basic
    @Column(name = "TYPE")
    public String getType() {
        return type;
    }

    public void setType(String type) {
        this.type = type;
    }

    @OneToMany(targetEntity = User.class, mappedBy = "userType")
    public List<User> getUsers() {
        return users;
    }

    public void setUsers(List<User> users) {
        this.users = users;
    }

    public String toString() {
        StringBuffer sb = new StringBuffer();
        sb.append("[ID=" + this.getId());
        sb.append(", TYPE=" + this.getType());
        sb.append(", USERS=" + this.getUsers());
        sb.append("]");

        return sb.toString();
    }

AccessControlList

package acl.demo.entity;

import acl.demo.enums.Permission;

import javax.persistence.*;

@Entity
@Table(name = "ACCESS_CONTROL_LIST")
public class AccessControlList {
    private Long id;
    private Permission permission;
    private UserType userType;
    private boolean canView;
    private boolean canInsert;
    private boolean canUpdate;
    private boolean canDelete;

    @Id
    @GeneratedValue
    @Column(name = "ID")
    public Long getId() {
        return id;
    }

    public void setId(Long id) {
        this.id = id;
    }

    @Enumerated(value = EnumType.STRING)
    @Column(name = "PERMISSION")
    public Permission getPermission() {
        return permission;
    }

    public void setPermission(Permission permission) {
        this.permission = permission;
    }

    @ManyToOne(targetEntity = UserType.class)
    @JoinColumn(name = "USER_TYPE_ID")
    public UserType getUserType() {
        return userType;
    }

    public void setUserType(UserType userType) {
        this.userType = userType;
    }

    @Basic
    @Column(name = "CAN_VIEW")
    public boolean isCanView() {
        return canView;
    }

    public void setCanView(boolean canView) {
        this.canView = canView;
    }

    @Basic
    @Column(name = "CAN_INSERT")
    public boolean isCanInsert() {
        return canInsert;
    }

    public void setCanInsert(boolean canInsert) {
        this.canInsert = canInsert;
    }

    @Basic
    @Column(name = "CAN_UPDATE")
    public boolean isCanUpdate() {
        return canUpdate;
    }

    public void setCanUpdate(boolean canUpdate) {
        this.canUpdate = canUpdate;
    }

    @Basic
    @Column(name = "CAN_DELETE")
    public boolean isCanDelete() {
        return canDelete;
    }

    public void setCanDelete(boolean canDelete) {
        this.canDelete = canDelete;
    }

    @Override
    public String toString() {
        StringBuffer sb = new StringBuffer();
        sb.append("[ID=" + this.getId());
        sb.append(", PERMISSION=" + this.getPermission());
        sb.append(", USERTYPE=" + this.getUserType().getType());
        sb.append(", CAN_VIEW=" + this.isCanView());
        sb.append(", CAN_INSERT=" + this.isCanInsert());
        sb.append(", CAN_UPDATE=" + this.isCanUpdate());
        sb.append(", CAN_DELETE=" + this.isCanDelete());
        sb.append("]");

        return sb.toString();
    }
}

hibernate.cfg.xml

<hibernate-configuration>
    <session-factory>
        <property name="connection.url">jdbc:mysql://localhost:3306/test</property>
        <property name="connection.driver_class">com.mysql.jdbc.Driver</property>
        <property name="connection.username">root</property>
        <property name="connection.password">root</property>
        <!-- DB schema will be updated if needed -->
        <property name="hbm2ddl.auto">update</property>

        <!-- MAPPING -->
        <mapping class="acl.demo.entity.UserType" />
        <mapping class="acl.demo.entity.User" />
        <mapping class="acl.demo.entity.AccessControlList" />
    </session-factory>
</hibernate-configuration>

SecurityFilter looks like this:

package acl.demo.servlet.filter;

import acl.demo.entity.UserSession;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;

public class SecurityFilter implements Filter {
    public void destroy() {
    }

    public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws ServletException, IOException {
        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) resp;
        HttpSession session = request.getSession(false);

        System.out.println("[SecurityFilter] ServletPath : " + request.getServletPath());
        if(!request.getServletPath().equalsIgnoreCase("/login") &&
                !request.getServletPath().equalsIgnoreCase("/logout") &&
                !request.getServletPath().equalsIgnoreCase("/loginForm.jsp") &&
                !request.getServletPath().equalsIgnoreCase("/css/format.css")) {
            if(session != null) {
                UserSession userSession = (UserSession) session.getAttribute("userSession");

                if(userSession == null) {
                    System.out.println("[SecurityFilter] userSession : " + userSession);
                    request.setAttribute("message", "Please login first!");
                    request.getRequestDispatcher("/loginForm.jsp").forward(request, response);
                    return;
                }
            } else {
                request.setAttribute("message", "Please login!");
                request.getRequestDispatcher("/loginForm.jsp").forward(request, response);
                return;
            }
        }

        chain.doFilter(req, resp);
    }
}

This is a simple example of an Access Control List (ACL) presented in Java, you can dowload it from here and here

Advertisements