ACL can't be owned by a GrantedAuthoritySid

[bberto]

Describe the bug
ACL can't be owned by a GrantedAuthoritySid

To Reproduce
As user with a role named TEST, after successfully changing an ACL ownership in this way:

acl.setOwner(new GrantedAuthoritySid("ROLE_TEST"));
aclService.updateAcl(acl);

I can't perform further modifications to the ACL (eg. changing back the ownership to me).

see:
https://github.com/spring-projects/spring-security/blob/master/acl/src/main/java/org/springframework/security/acls/domain/AclAuthorizationStrategyImpl.java#L92

Expected behavior
Any user with ROLE_TEST granted authority should be able to change the ACL.

[jgrandja]

@bberto I'm trying to understand the issue but it's not clear at the moment. Can you put together a test that demonstrates the issue and another test that you would expect to pass.

[bberto]

@jgrandja I created a pull request including the test and a proposed fix

[jgrandja]

@bberto Thank you for providing the PR to demonstrate your use case.

The sample code you provided:

acl.setOwner(new GrantedAuthoritySid("ROLE_TEST"))

is not correct from a logical entity relationship viewpoint.

An Acl is an entity and so is the Acl.getOwner(). A Principal is an entity, which owns an Acl.
However, a GrantedAuthority is an attribute of a Principal and NOT an entity representation.
Therefore, an Acl cannot be owned by a GrantedAuthoritySid since it's an attribute representation and NOT an entity - only an entity can own an Acl.

Hope this makes sense?

Based on this, I'm going to close this issue and associated PR.