Announcement Announcement Module
Collapse
No announcement yet.
authz:acl and voters Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • authz:acl and voters

    I have set up ACLs for a web app using v0.8.3 and I'm trying to restrict some content output via the authz:acl tag.

    I noticed that when I required the permission 2 ("read") in the "hasPermission" parameter that users that had admin (1) were not recognized as being authorized. The tag found the effective acl entries correctly, it just wasn't recognizng the admin permission as being applicable to read requirements. If I required either admin or read, it worked.

    My acl voters are set up to require either admin (1) or read (2) permissions for a read affirmative decision in my config file, yet I was still failing. (Almost identical to the contacts sample readVoter, with changes corresponding to my domain object).

    After reading through the tag lib source, I came to the conclusion that the voters were not being used (which I guess is why the reference guide indicates using multiple int values in the "hasPermission" parameter).

    My question is whether or not my conclusion is the correct one. I have been unsuccessful in attempts to find this information without posting, so I apologize if this is a dupe.

    If my conclusion is wrong, can anyone suggest what it is I might be doing incorrectly?

  • #2
    I can confirm AclTag does not use an AccessDecisionVoter. All it does it iterate through the comma separated list of integers expressed via the "requiredIntregers" tag attribute.

    Comment


    • #3
      Originally posted by Ben Alex
      I can confirm AclTag does not use an AccessDecisionVoter. All it does it iterate through the comma separated list of integers expressed via the "requiredIntregers" tag attribute.
      Thanks Ben.

      Is there any particular reason that it doesn't use voters? (I.e. is it worth my while to try and make it use voters?)

      Comment


      • #4
        Voters are typically used when you want to authorize the "before" side of a MethodSecurityInterceptor advice. Most ACL-based applications only use BasicAclEntryVoter, and as such the equivalent functionality is offered directly by AclTag. I cannot see much of a use case for using a voter-approach, particularly as doing so would require you to pass in a mock MethodInvocation and ConfigAttributeDefinition so that the voter interface contract can be honoured.

        Comment

        Working...
        X