Should AclImpl allow duplicate permissions?

[mrpack]

Hi All,

Im struggeling with permissions here. I have the following code (from denksoft) which allows me to add permissions to secured objects.

public void addPermission(Entity<? extends Serializable> secureEntity, Sid recipient, Permission permission, Class<?> clazz) {
MutableAcl acl;
ObjectIdentity oid = new ObjectIdentityImpl(clazz.getCanonicalName(), secureEntity.getId());

try {
acl = (MutableAcl) mutableAclService.readAclById(oid);
} catch (NotFoundException nfe) {
acl = mutableAclService.createAcl(oid);
}

acl.insertAce(acl.getEntries().length, permission, recipient, true);
mutableAclService.updateAcl(acl);

if (logger.isDebugEnabled()) {
logger.debug("Added permission " + permission + " for Sid " + recipient + " secureEntity " + secureEntity);
}
}

When I make successive calls to addPermission for the same secure object, receipient and permission I end up with multiple ACL entries all representing the same permission. Is this the expected behaviour? I expected that identical permissions would somehow be filtered out.

I have looked closely at the source and cant see anything that implements what I expected but I wondered if I am missing something - maybe I need to implement this myself or is there a reason for this functionality?

My main issue occurs when I then attempt to delete a permission from the ACL using (again from denksoft. Similar to spring-security contacts example).

public void deletePermission(Entity<? extends Serializable> secureEntity, Sid recipient, Permission permission, Class<?> clazz) {
ObjectIdentity oid = new ObjectIdentityImpl(clazz.getCanonicalName(), secureEntity.getId());
MutableAcl acl = (MutableAcl) mutableAclService.readAclById(oid);

// Remove all permissions associated with this particular recipient (string equality to KISS)
AccessControlEntry[] entries = acl.getEntries();

for (int i = 0; i < entries.length; i++) {
if (entries[i].getSid().equals(recipient) && entries[i].getPermission().equals(permission)) {
acl.deleteAce(i);
}
}

mutableAclService.updateAcl(acl);

if (logger.isDebugEnabled()) {
logger.debug("Deleted secureEntity " + secureEntity + " ACL permissions for recipient " + recipient);
}
}

It seems that because I have been able to add duplicates to the underlying ACL, when these permissions are then deleted I end up getting IndexOutOfBounds exceptions.

Is this the expected behavior? I have used quite a bit of guess work getting to this point so I could easily be doing something wrong.

[mrpack]

Any thoughts on this?

[Luke Taylor]

I can reproduce the same behaviour in the contacts sample, so either the application should be modified to check for an existing entry each time it tries to add a new one, or the framework should take care of it. My best guess is that the framework should raise a suitable exception if possible and the app should be relied on to do the checking.

Can you raise a Jira issue please?

[mrpack]

Sure. Will do that now. Thanks for looking into it.