Announcement Announcement Module
Collapse
No announcement yet.
Expressions-Based Access Control: @PostFilter not called, @PreAuthroize fine. Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Expressions-Based Access Control: @PostFilter not called, @PreAuthroize fine.

    I'm a little baffled. I'm using ACL, and I have a Spring controller, with two public methods:

    Code:
    @RequestMapping(value="{id}", method = RequestMethod.DELETE, consumes = "application/json")
        @PreAuthorize("hasPermission(#profile, 'ADMINISTRATE')")
        public void deleteProfile(@PathVariable String id) {
            Store profile = profileManager.getProfileByID(Integer.parseInt(id));
            profileManager.deleteProfile(profile);
        }
        
        @RequestMapping(value="/all", method = RequestMethod.GET, produces = "application/json")
        @PostFilter("hasPermission(filterObject, 'READ')")
        public @ResponseBody List<Store> getAllProfiles() {
            List<Store> stores = profileManager.getProfiles();
            return stores;
        }
    The first one works just fine, users without the right permissions on the objects get errors, and those with permissions can delete profiles. Excellent!

    But the second doesn't work! I always get all the stores, regardless of permissions. However, if I manually plug in

    Code:
        @Autowired
        @Qualifier("permissionEvaluator")
        private PermissionEvaluator permEval;
    I can call

    Code:
        permEval.hasPermission(SecurityContextHolder.getContext().getAuthentication(), store, "READ");
    on each element of the list before I return them all, and remove the ones that fail, and that works just fine.

    Obviously, I'd prefer to use the expressions. Any idea what might be going on here?

    I'm using 3.1.3.RELEASE if that makes a difference. I did a good search, but I couldn't find anyone who could use @PreAuthorize but not @PostFilter.
Working...
X