Announcement Announcement Module
Collapse
No announcement yet.
ACL Problem - acl_entry needed for every domain object? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • ACL Problem - acl_entry needed for every domain object?

    Hi, I am quite new to Spring Security and ACL. However I managed to setup some basic authorisation in my app. Now I am stuck...

    I am having some domain objects "module" in my application. A list of all available modules is stored in the database. Lets say I have 3 of them with the IDs 1,2 and 3. Not every user of the app is allowed to access every module so I am trying to setup some ACL for that:

    Code:
    @PostFilter("hasPermission(filterObject, 'READ')")
    List<Module> findActiveModules();
    Testing the initial setup I added only one of the modules (with ID=1) to my acl_object_identy table and granted some permision to that to some user (actually to a role - but I think that does not matter here). Running my test I get the following exception (shortened it):

    Code:
    [...]
    Caused by: org.springframework.security.acls.model.NotFoundException: Unable to find ACL information for object identity 'org.springframework.security.acls.domain.ObjectIdentityImpl[Type: de.cominto.epad.model.domain.Module; Identifier: 2]'
    	at org.springframework.security.acls.jdbc.JdbcAclService.readAclsById(JdbcAclService.java:114)
    	at org.springframework.security.acls.AclPermissionCacheOptimizer.cachePermissionsFor(AclPermissionCacheOptimizer.java:56)
    	at org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler.filter(DefaultMethodSecurityExpressionHandler.java:90)
    	at org.springframework.security.access.expression.method.ExpressionBasedPostInvocationAdvice.after(ExpressionBasedPostInvocationAdvice.java:41)
    	at org.springframework.security.access.prepost.PostInvocationAdviceProvider.decide(PostInvocationAdviceProvider.java:38)
    	at org.springframework.security.access.intercept.AfterInvocationProviderManager.decide(AfterInvocationProviderManager.java:73)
    	at org.springframework.security.access.intercept.AbstractSecurityInterceptor.afterInvocation(AbstractSecurityInterceptor.java:282)
    	at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:68)
    [...]
    Does that really mean I have to add each of my modules to the acl_object_identity table? I thought that if there was no entry in that table this means that there is no permission for that object and access will just be denied (instead of exception being thrown).

  • #2
    After debugging some more I finally found the problem:
    As you may have seen in the stacktrace I am using org.springframework.security.acls.AclPermissionCac heOptimizer. The implementation of the method cachePermissionsFor() does not handle NotFoundException.

    For now I will just remove the omptimizer. When I found some documentation on it I will decide whether to subclass it or not.

    Comment

    Working...
    X