2

I'm trying to use Spring Security's readAclsById method in JdbcMutableAclService to retrieve ACLs that are filtered by the SIDs. However, ACLs that are not applicable to the passed-in SIDs are returned.

I'm creating the ACL entry using the username:

public void add(Object domainObject, String username, List<Permission> permissions) {
    MutableAcl acl;

    ObjectIdentity oid = objectIdentityRetrievalStrategy
            .getObjectIdentity(domainObject);
    Sid receipient = new PrincipalSid(username);
    try {
        acl = (MutableAcl) aclService.readAclById(oid);
    } catch (NotFoundException nfe) {
        acl = aclService.createAcl(oid);
    }
    for(Permission permission:permissions) {
        acl.insertAce(acl.getEntries().size(), permission, receipient, true);
    }
    aclService.updateAcl(acl);
}

And I'm retrieving ACLs via the Authentication object:

        List<Sid> sids = sidRetrievalStrategy.getSids(authentication);

        List<ObjectIdentity> identities = new ArrayList<>(domainObjects.size());
        for (Object domainObject : domainObjects) {
            identities.add(objectIdentityRetrievalStrategy.getObjectIdentity(domainObject));
        }

        Map<ObjectIdentity, Acl> acls = aclService.readAclsById(identities, sids);

        //see what permissions the user has for these objects
        for (Map.Entry<ObjectIdentity, Acl> entry : acls.entrySet()) {
            Acl acl = entry.getValue();
            //entries that are not applicable to the SIDs are returned    
            List<AccessControlEntry> entries = acl.getEntries();
        }

If I log into another username and try to retrieve the ACLs via readAclsById, I also get AccessControlEntry values that belonged to the other usernames. Am I using AclService correctly?

4

1 回答 1

3

I found the answer after some digging around the source code: the default implementation uses BasicLookupStrategy which ignores the SIDs by default.

于 2016-03-01T04:19:36.310 回答