Announcement Announcement Module
Collapse
No announcement yet.
ACL post filter and paging issue Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • ACL post filter and paging issue

    I want to implement ACL based authorization and was looking at the contacts sample app from the spring-security distro. The issue is how do paging work in conjunction of a ACL based post method invocation filter. If my annotation is on ServiceObject method , during the method call the DAO would have fired the paged query oblivous of the ACL constraints and returned a list of a pageful of data. Now as the post invocation filter work on this list and remove items , paging goes for a toss. While i like the clear separation of concersn brought about by the new spring-security 3.0 acl implementation, is there any solution that does this by decoration the query instead at the method invocation level ?? or is there any way that can maintain paging ??
    Doing paging after the method returns is not optimal.

  • #2
    Spring Security is meant to compliment the queries (i.e. provide security in layers). You still need to update the queries to select the correct data in order to do paging.

    Comment


    • #3
      Originally posted by Rob Winch View Post
      Spring Security is meant to compliment the queries (i.e. provide security in layers). You still need to update the queries to select the correct data in order to do paging.
      Thanks Rob for the reply ! and yes thats where my question is, say I do the paging in query and return a result set and out of that set postFilter filters out objects that are not meeting the criteria, hence my resultset has lesser number of objects than returned by the query, which breaks paging and reason as you can see is paging and security filter happening at different places specifically paging running before the security filter rather than the other way round. So is there any implement in spring that helps address this issue ??

      Comment


      • #4
        Originally posted by redzedi View Post
        Thanks Rob for the reply ! and yes thats where my question is, say I do the paging in query and return a result set and out of that set postFilter filters out objects that are not meeting the criteria, hence my resultset has lesser number of objects than returned by the query, which breaks paging and reason as you can see is paging and security filter happening at different places specifically paging running before the security filter rather than the other way round. So is there any implement in spring that helps address this issue ??
        No Spring Security does not provide a way to update your queries dynamically. The intent behind the annotations is to compliment the query (i.e. double check that things are working). If you want to automatically update your queries, this is probably a better question for the data access framework your are using.

        Comment


        • #5
          My understanding from this thread is that we need to have relationship between the object and users in business logic and/or DB.
          ACL tables are just additional security.
          For example we need to have in a query or in business code, get all objects for a user.
          And ACL logic will only check if the method returned any objects that user is not allowed to.
          Is this accurate understanding?
          Last edited by zaleks01; Dec 4th, 2013, 10:56 AM.

          Comment


          • #6
            Springtime Protection is intended to enhance the concerns. You still need to upgrade the concerns to choose the correct information in order to do paging.

            Casinos In South Africa | Best Online Casino | Online Casinos for South African Players
            Last edited by Kennethkbryant; Dec 13th, 2013, 11:35 AM.

            Comment

            Working...
            X