The BasicAclDao interface has the following method:

public BasicAclEntry[] getAcls(AclObjectIdentity aclObjectIdentity);

According to the documentation, the acls returned from this method is then filtered by the EffectiveAclsResolver for the specific Authentication object.

I was wondering why can't we instead have a method like the following?

public BasicAclEntry[] getAcls(AclObjectIdentity aclObjectIdentity, Object principal);

This way, we can have the data access code to apply more efficient mechanism for filtering the acl list for the specific principal rather than incurring the cost associated with returning a much larger set and applying the filtering in a separate step higher up (I assume this approach can be made an option rather than a mandate, of course).

This is very common scenario in my application which can have thousands or even tens of thousands of acl entries for an object instance when it is not pre-filtered against a specific principal or a role. For obvious performance reason, we had to roll our own solution that tightly weaves object instances with acl information so that the filtering could occur at the lowest tier.

Any comment on this?
/Jong