public class AclEntryAfterInvocationCollectionFilteringProvider extends AbstractAclProvider
Given a Collection of domain object instances returned from a secure
object invocation, remove any Collection elements the principal does not
have appropriate permission to access as defined by the AclService.
The AclService is used to retrieve the access control list (ACL)
permissions associated with each Collection domain object instance element
for the current Authentication object.
This after invocation provider will fire if any ConfigAttribute.getAttribute()
matches the AbstractAclProvider.processConfigAttribute. The provider will then lookup the ACLs
from the AclService and ensure the principal is
Acl.isGranted() when presenting the AbstractAclProvider.requirePermission array to that method.
If the principal does not have permission, that element will not be included in the
returned Collection.
Often users will setup a BasicAclEntryAfterInvocationProvider with a
AbstractAclProvider.processConfigAttribute of AFTER_ACL_COLLECTION_READ and a
AbstractAclProvider.requirePermission of BasePermission.READ. These are also the
defaults.
If the provided returnObject is null, a null
Collection will be returned. If the provided returnObject is
not a Collection, an AuthorizationServiceException will be thrown.
All comparisons and prefixes are case sensitive.
| Modifier and Type | Field and Description |
|---|---|
protected static org.apache.commons.logging.Log |
logger |
aclService, objectIdentityRetrievalStrategy, processConfigAttribute, processDomainObjectClass, requirePermission, sidRetrievalStrategy| Constructor and Description |
|---|
AclEntryAfterInvocationCollectionFilteringProvider(AclService aclService,
List<Permission> requirePermission) |
| Modifier and Type | Method and Description |
|---|---|
Object |
decide(org.springframework.security.core.Authentication authentication,
Object object,
Collection<org.springframework.security.access.ConfigAttribute> config,
Object returnedObject) |
getProcessDomainObjectClass, hasPermission, setObjectIdentityRetrievalStrategy, setProcessConfigAttribute, setProcessDomainObjectClass, setSidRetrievalStrategy, supports, supportspublic AclEntryAfterInvocationCollectionFilteringProvider(AclService aclService, List<Permission> requirePermission)
public Object decide(org.springframework.security.core.Authentication authentication, Object object, Collection<org.springframework.security.access.ConfigAttribute> config, Object returnedObject) throws org.springframework.security.access.AccessDeniedException
org.springframework.security.access.AccessDeniedException