How do I get a list of domain objects a user has permissions for with Spring Security ACLs?

5
votes

I'm just starting to use Spring Security ACL. I want to obtain a list of domain objects that a user has (any) permissions for.

For example, the system has 1000s of 'buildings', a user may have access to any number of these buildings. When the user logs in I want to present them with a list of the building they have permissions for.

Something along the lines of myAclService.getObjectsForUser('[email protected]', Building.class)

I'm starting to think that ACLs don't work in that direction, but it must be a common challenge so there must at least be a pattern for how to achieve this alongside ACL without duplicating data.

Any thoughts welcome, thanks!

2
javaspringspring-securityacl
Spring Security 4 supports query params with Spring Data now. Check the docs. - Neil McGuigan
Hi, I've been studying the docos but not sure how query params apply to my problem of obtaining a list of domain objects. Would you be able to explain further? Thanks - Tom Crowder
Hi @TomCrowder Did you solve this problem? I'm trying to find a way to solve the same issue because it isn't implemented in spring-security-acl yet. It would be great if you can share how what did you do. Thanks - pVilaca
No, I haven't (even though Spring's team apparently monitors these questions!). I've considered looking into querying the underlying tables directly (adding indexes where appropriate), but have put this piece of dev on hold for the moment! Let me know if you find anything too.... - Tom Crowder
Does this answer your question? How to get a List of Objects that a user can access using ACLs related tables - David Riccitelli

2 Answers

1
votes

I believe you are right that what's provided in Spring Security re. ACL is more from the object perspective than from the subject (principal) perspective.

You can check the SQL code of all AclServices from Spring Security, specifically JdbcAclService and JdbcMutableAclService.

0
votes

You want to use the @PostFilter annotations for smaller datasets

@PostFilter("hasPermission(filterObject, 'read') or hasPermission(filterObject, 'admin')")
public List<Buildings> getAll();

for larger data sets you may want to use the query in my answer to How to get a List of Objects that a user can access using ACLs related tables