Announcement Announcement Module
Collapse
No announcement yet.
after invocation question Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • after invocation question

    I have the after invocation filtering working fine on a call which returns a collection.

    Currently the xml looks like
    <bean id="lookupServiceSecurity" class="net.sf.acegisecurity.intercept.method.aopal liance.MethodSecurityInterceptor">
    <property name="authenticationManager"><ref bean="authenticationManager"/></property>
    <property name="accessDecisionManager"><ref local="businessAccessDecisionManager"/></property>
    <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
    <property name="objectDefinitionSource">
    <value>
    com.celeres.pago.services.LookupService.getFacilit yGroups=ROLE_PAGO_USER,AFTER_ACL_COLLECTION_READ
    </value>
    </property>
    </bean>

    Can I specify in XML that if the authenticated user has the ROLE_ADMIN authority, then no filtering should occur? Or do I have to manually make entries in the ACL table for each of the FacilityGroups?

    Thanks,

    Craig

  • #2
    You could write your own AfterInvocationManager that wrapped a real AfterInvocationManager. The wrapper would just immediately exit, returning the unmodified Object, if the current principal held the role.

    Alternatively, the better way is to not have "magic" like this happen but to use the AclManager as intended. Best practise is to have a "root" object in acl_object_identity that all other acl_object_identity objects ultimately inherit off. You then assign Admin permission for your ROLE_ADMIN. It's just a lot cleaner doing it that way, and whilst it has a slight performance penalty (recall caching will keep most of the details in-memory except on the first instance) the improved clarity of what's going on, and flexibility to modify permissions of the root object in the future, are probably worth it.

    Comment

    Working...
    X