5

I'm just starting to use Spring Security ACL. I want to obtain a list of domain objects that a user has (any) permissions for.

For example, the system has 1000s of 'buildings', a user may have access to any number of these buildings. When the user logs in I want to present them with a list of the building they have permissions for.

Something along the lines of myAclService.getObjectsForUser('myemail@gmail.com', Building.class)

I'm starting to think that ACLs don't work in that direction, but it must be a common challenge so there must at least be a pattern for how to achieve this alongside ACL without duplicating data.

Any thoughts welcome, thanks!

Tom Crowder
  • 150
  • 1
  • 8
  • Spring Security 4 supports query params with Spring Data now. Check the docs. – Neil McGuigan Apr 08 '15 at 17:59
  • Hi, I've been studying the docos but not sure how query params apply to my problem of obtaining a list of domain objects. Would you be able to explain further? Thanks – Tom Crowder Apr 08 '15 at 23:32
  • Hi @TomCrowder Did you solve this problem? I'm trying to find a way to solve the same issue because it isn't implemented in spring-security-acl yet. It would be great if you can share how what did you do. Thanks – pVilaca May 11 '15 at 18:01
  • No, I haven't (even though Spring's team apparently monitors these questions!). I've considered looking into querying the underlying tables directly (adding indexes where appropriate), but have put this piece of dev on hold for the moment! Let me know if you find anything too.... – Tom Crowder May 18 '15 at 15:34
  • Does this answer your question? [How to get a List of Objects that a user can access using ACLs related tables](https://stackoverflow.com/questions/30133667/how-to-get-a-list-of-objects-that-a-user-can-access-using-acls-related-tables) – David Riccitelli Jan 17 '20 at 21:38

2 Answers2

1

I believe you are right that what's provided in Spring Security re. ACL is more from the object perspective than from the subject (principal) perspective.

You can check the SQL code of all AclServices from Spring Security, specifically JdbcAclService and JdbcMutableAclService.

lpezet
  • 147
  • 9
0

You want to use the @PostFilter annotations for smaller datasets

@PostFilter("hasPermission(filterObject, 'read') or hasPermission(filterObject, 'admin')")
public List<Buildings> getAll();

for larger data sets you may want to use the query in my answer to How to get a List of Objects that a user can access using ACLs related tables

denov
  • 11,180
  • 2
  • 27
  • 43
  • is this not what you're looking for? i have some code that queries the actual ACL tables. the above will filter any object in the list that the current user does not have rights to. – denov Mar 31 '17 at 06:21
  • this is not recommended for large datasets, see https://stackoverflow.com/questions/30133667/how-to-get-a-list-of-objects-that-a-user-can-access-using-acls-related-tables – David Riccitelli Jan 17 '20 at 16:42
  • 1
    take a look at who wrote the 2nd answer to the link above :) – denov Jan 22 '20 at 23:41