Jul 5th, 2012, 06:40 AM
ACL post filter and paging issue
I want to implement ACL based authorization and was looking at the contacts sample app from the spring-security distro. The issue is how do paging work in conjunction of a ACL based post method invocation filter. If my annotation is on ServiceObject method , during the method call the DAO would have fired the paged query oblivous of the ACL constraints and returned a list of a pageful of data. Now as the post invocation filter work on this list and remove items , paging goes for a toss. While i like the clear separation of concersn brought about by the new spring-security 3.0 acl implementation, is there any solution that does this by decoration the query instead at the method invocation level ?? or is there any way that can maintain paging ??
Doing paging after the method returns is not optimal.
Jul 5th, 2012, 03:35 PM
Spring Security is meant to compliment the queries (i.e. provide security in layers). You still need to update the queries to select the correct data in order to do paging.
Jul 5th, 2012, 11:17 PM
Thanks Rob for the reply ! and yes thats where my question is, say I do the paging in query and return a result set and out of that set postFilter filters out objects that are not meeting the criteria, hence my resultset has lesser number of objects than returned by the query, which breaks paging and reason as you can see is paging and security filter happening at different places specifically paging running before the security filter rather than the other way round. So is there any implement in spring that helps address this issue ??
Originally Posted by Rob Winch
Jul 6th, 2012, 04:20 PM
No Spring Security does not provide a way to update your queries dynamically. The intent behind the annotations is to compliment the query (i.e. double check that things are working). If you want to automatically update your queries, this is probably a better question for the data access framework your are using.
Originally Posted by redzedi
Tags for this Thread