ACL Problem - acl_entry needed for every domain object?
Hi, I am quite new to Spring Security and ACL. However I managed to setup some basic authorisation in my app. Now I am stuck...
I am having some domain objects "module" in my application. A list of all available modules is stored in the database. Lets say I have 3 of them with the IDs 1,2 and 3. Not every user of the app is allowed to access every module so I am trying to setup some ACL for that:
Testing the initial setup I added only one of the modules (with ID=1) to my acl_object_identy table and granted some permision to that to some user (actually to a role - but I think that does not matter here). Running my test I get the following exception (shortened it):Code:@PostFilter("hasPermission(filterObject, 'READ')") List<Module> findActiveModules();
Does that really mean I have to add each of my modules to the acl_object_identity table? I thought that if there was no entry in that table this means that there is no permission for that object and access will just be denied (instead of exception being thrown).Code:[...] Caused by: org.springframework.security.acls.model.NotFoundException: Unable to find ACL information for object identity 'org.springframework.security.acls.domain.ObjectIdentityImpl[Type: de.cominto.epad.model.domain.Module; Identifier: 2]' at org.springframework.security.acls.jdbc.JdbcAclService.readAclsById(JdbcAclService.java:114) at org.springframework.security.acls.AclPermissionCacheOptimizer.cachePermissionsFor(AclPermissionCacheOptimizer.java:56) at org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler.filter(DefaultMethodSecurityExpressionHandler.java:90) at org.springframework.security.access.expression.method.ExpressionBasedPostInvocationAdvice.after(ExpressionBasedPostInvocationAdvice.java:41) at org.springframework.security.access.prepost.PostInvocationAdviceProvider.decide(PostInvocationAdviceProvider.java:38) at org.springframework.security.access.intercept.AfterInvocationProviderManager.decide(AfterInvocationProviderManager.java:73) at org.springframework.security.access.intercept.AbstractSecurityInterceptor.afterInvocation(AbstractSecurityInterceptor.java:282) at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:68) [...]
Reply With Quote