Dec 3rd, 2004, 05:59 PM
The BasicAclDao interface has the following method:
public BasicAclEntry getAcls(AclObjectIdentity aclObjectIdentity);
According to the documentation, the acls returned from this method is then filtered by the EffectiveAclsResolver for the specific Authentication object.
I was wondering why can't we instead have a method like the following?
public BasicAclEntry getAcls(AclObjectIdentity aclObjectIdentity, Object principal);
This way, we can have the data access code to apply more efficient mechanism for filtering the acl list for the specific principal rather than incurring the cost associated with returning a much larger set and applying the filtering in a separate step higher up (I assume this approach can be made an option rather than a mandate, of course).
This is very common scenario in my application which can have thousands or even tens of thousands of acl entries for an object instance when it is not pre-filtered against a specific principal or a role. For obvious performance reason, we had to roll our own solution that tightly weaves object instances with acl information so that the filtering could occur at the lowest tier.
Any comment on this?
Dec 4th, 2004, 02:59 PM
The reason the signature includes Authentication rather than just the principal Object is because in 80% or more of cases the Authentication will have already been populated and available on the ContextHolder, or at least be inexpensive to populate due to the use of caching by Acegi Security. The other reason we use Authentication is because often permissions will be granted to a role, which is represented in the GrantedAuthority array contained in Authentication. Passing just the principal Object would have prevented the effective ACL resolver from considering role memberships in this manner.