Class AclEntryAfterInvocationCollectionFilteringProvider
- All Implemented Interfaces:
AfterInvocationProvider
Given a Collection
of domain object instances returned from a secure
object invocation, remove any Collection
elements the principal does not
have appropriate permission to access as defined by the AclService
.
The AclService
is used to retrieve the access control list (ACL)
permissions associated with each Collection
domain object instance element
for the current Authentication
object.
This after invocation provider will fire if any ConfigAttribute.getAttribute()
matches the AbstractAclProvider.processConfigAttribute
. The provider will then lookup the ACLs
from the AclService
and ensure the principal is
Acl.isGranted()
when presenting the AbstractAclProvider.requirePermission
array to that method.
If the principal does not have permission, that element will not be included in the
returned Collection
.
Often users will setup a BasicAclEntryAfterInvocationProvider
with a
AbstractAclProvider.processConfigAttribute
of AFTER_ACL_COLLECTION_READ
and a
AbstractAclProvider.requirePermission
of BasePermission.READ
. These are also the
defaults.
If the provided returnObject
is null
, a null
Collection
will be returned. If the provided returnObject
is
not a Collection
, an AuthorizationServiceException
will be thrown.
All comparisons and prefixes are case sensitive.
-
Field Summary
Fields inherited from class org.springframework.security.acls.afterinvocation.AbstractAclProvider
aclService, objectIdentityRetrievalStrategy, processConfigAttribute, processDomainObjectClass, requirePermission, sidRetrievalStrategy
-
Constructor Summary
ConstructorDescriptionAclEntryAfterInvocationCollectionFilteringProvider
(AclService aclService, List<Permission> requirePermission) -
Method Summary
Modifier and TypeMethodDescriptiondecide
(Authentication authentication, Object object, Collection<ConfigAttribute> config, Object returnedObject) Methods inherited from class org.springframework.security.acls.afterinvocation.AbstractAclProvider
getProcessDomainObjectClass, hasPermission, setObjectIdentityRetrievalStrategy, setProcessConfigAttribute, setProcessDomainObjectClass, setSidRetrievalStrategy, supports, supports
-
Field Details
-
logger
protected static final org.apache.commons.logging.Log logger
-
-
Constructor Details
-
AclEntryAfterInvocationCollectionFilteringProvider
public AclEntryAfterInvocationCollectionFilteringProvider(AclService aclService, List<Permission> requirePermission)
-
-
Method Details
-
decide
public Object decide(Authentication authentication, Object object, Collection<ConfigAttribute> config, Object returnedObject) throws AccessDeniedException - Throws:
AccessDeniedException
-