Spring Security
  1. Spring Security
  2. SEC-16

BasicAclEntryAfterInvocationCollectionFilteringProvider reflectively process domain object Collections and Arrays

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 0.8.2, 0.8.3, 0.9.0, 1.0.0 RC1, 1.0.0 RC2
    • Fix Version/s: 3.0.0 M1
    • Component/s: ACLs
    • Labels:
      None

      Description

      http://forum.springframework.org/viewtopic.php?t=6056

      If a Collection/array of domain objects are presented to BasicAclEntryAfterInvocationCollectionFilteringProvider, the filtering will occur at the level of the presented Collection/array only.

      We should consider adding a feature to BasicAclEntryAfterInvocationCollectionFilteringProvider that allows it to reflectively evaluate each property to locate internal Collections/arrays. These would then be processed at an ACL level. This would continue so any level of object nesting is processed. It would be necessary to avoid infinite loops, as one object may refer (by reference) to a parent object. The Acegi Security domain subproject contains some examples of this sort of detection behaviour in its validation package.

      Such a new feature must be switchable, as the expense of reflectively evaluating every domain object in a Collection/array may be high.

        Activity

        Hide
        Ben Alex added a comment -

        Should be against component SecurityACL.

        Show
        Ben Alex added a comment - Should be against component SecurityACL.
        Hide
        Luke Taylor added a comment -

        I think this requirement should (at least partially) be possible using the new expression syntax. For example, if filtering a Person domain object, the expression

        hasPermission(filterObject, 'read') and hasPermission(filterObject.address, 'read')

        should evaluate the read permission on both the object itself and a contained "address". It should also be possible to extend the logic to handle checking permissions on each member of a collection directly e.g.

        hasPermission(filterObject, 'read') and hasPermission(filterObject.addresses, 'read')

        Show
        Luke Taylor added a comment - I think this requirement should (at least partially) be possible using the new expression syntax. For example, if filtering a Person domain object, the expression hasPermission(filterObject, 'read') and hasPermission(filterObject.address, 'read') should evaluate the read permission on both the object itself and a contained "address". It should also be possible to extend the logic to handle checking permissions on each member of a collection directly e.g. hasPermission(filterObject, 'read') and hasPermission(filterObject.addresses, 'read')
        Hide
        Luke Taylor added a comment -

        Closing. As indicated, the expression support allows for more sophisticated ACL controls than just at the level of a collection argument.

        Show
        Luke Taylor added a comment - Closing. As indicated, the expression support allows for more sophisticated ACL controls than just at the level of a collection argument.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Ben Alex
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: