Announcement Announcement Module
No announcement yet.
Expressions-Based Access Control: @PostFilter not called, @PreAuthroize fine. Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Expressions-Based Access Control: @PostFilter not called, @PreAuthroize fine.

    I'm a little baffled. I'm using ACL, and I have a Spring controller, with two public methods:

    @RequestMapping(value="{id}", method = RequestMethod.DELETE, consumes = "application/json")
        @PreAuthorize("hasPermission(#profile, 'ADMINISTRATE')")
        public void deleteProfile(@PathVariable String id) {
            Store profile = profileManager.getProfileByID(Integer.parseInt(id));
        @RequestMapping(value="/all", method = RequestMethod.GET, produces = "application/json")
        @PostFilter("hasPermission(filterObject, 'READ')")
        public @ResponseBody List<Store> getAllProfiles() {
            List<Store> stores = profileManager.getProfiles();
            return stores;
    The first one works just fine, users without the right permissions on the objects get errors, and those with permissions can delete profiles. Excellent!

    But the second doesn't work! I always get all the stores, regardless of permissions. However, if I manually plug in

        private PermissionEvaluator permEval;
    I can call

        permEval.hasPermission(SecurityContextHolder.getContext().getAuthentication(), store, "READ");
    on each element of the list before I return them all, and remove the ones that fail, and that works just fine.

    Obviously, I'd prefer to use the expressions. Any idea what might be going on here?

    I'm using 3.1.3.RELEASE if that makes a difference. I did a good search, but I couldn't find anyone who could use @PreAuthorize but not @PostFilter.