Domai object instance security

[pietro5266]

Hi vijay,
i m bit confused in this security example, Conatcts. can u tell me how is domain object security is implemented in this example. in authorization context file i can see that voter is applied with permission on domain object Contact, but while debugging voter doesnt play any role. which user shud be able to access which contact is handled by after invocation handler. from this i get that voter has no role in domain object security. it is just the tables in which we store the relation user-permission-domainObject which is checked afterInvocation. please if u can take out 5 min to explain this, i will be gr8ful to u.
thanks
abhinav

Hi Abhinav,

Not sure if this is the answer to your question, but it sounds like the same question I had on this, recently -- where/when does the ACL stuff get used?

The answer to that question is that there is an interceptor specified in one of the Spring XML files, around the "getAll()" method. That interceptor redirects control to the voter and the whole authorization procedure.

Hard to catch, even with a debugger. Hope that helps.

Peter

[abhinav_ind]

Thanks Peter

I already understood the process of authorization, but forgot to reply on this post. Yes you are right that its tough to debug, after some patience I was able to crack it. Earlier I thought that it fetches those records that the user is authorised for. But found out that it first fetches all the records and Acl service filters out the unauthorised records using CollectionFilterer

Abhinav