I am using Spring Security ACL. When I save an object I also create a new ACE (Access Control Entry). I am using this method:
acl.insertAce(acl.getEntries().size(), BasePermission.CREATE, recipient, true);I am wondering if I got it right when I invoke this method one time for all the permission the owner (the authenticated user that added it) should have and the same for authorities?
Example:
If the user who adds the entry also should have READ access I invoke this one more time:
acl.insertAce(acl.getEntries().size(), BasePermission.READ, recipient, true);And so on? This is the way it is supposed to be used right?
And is it normal to have both the authorities and the principals in ACL or just the principals. I mean, do you mix hasRole('ROLE_ADMIN') and hasPermission(...) in the @PreAuthorize or do you have both principals and authorities in ACL so you only use hasPermission(...)