AclEntryAfterInvocationCollectionFilteringProvider

Class Overview

Given a Collection of domain object instances returned from a secure object invocation, remove any Collection elements the principal does not have appropriate permission to access as defined by the AclService.

The AclService is used to retrieve the access control list (ACL) permissions associated with each Collection domain object instance element for the current Authentication object.

This after invocation provider will fire if any getAttribute() matches the processConfigAttribute. The provider will then lookup the ACLs from the AclService and ensure the principal is Acl.isGranted() when presenting the requirePermission array to that method.

If the principal does not have permission, that element will not be included in the returned Collection.

Often users will setup a BasicAclEntryAfterInvocationProvider with a processConfigAttribute of AFTER_ACL_COLLECTION_READ and a requirePermission of BasePermission.READ. These are also the defaults.

If the provided returnObject is null, a nullCollection will be returned. If the provided returnObject is not a Collection, an AuthorizationServiceException will be thrown.

All comparisons and prefixes are case sensitive.

Summary

[Expand] Inherited Fields
From class org.springframework.security.acls.afterinvocation.AbstractAclProvider protected final AclService aclService protected ObjectIdentityRetrievalStrategy objectIdentityRetrievalStrategy protected String processConfigAttribute protected Class<?> processDomainObjectClass protected final List<Permission> requirePermission protected SidRetrievalStrategy sidRetrievalStrategy

[Expand] Inherited Methods
From class org.springframework.security.acls.afterinvocation.AbstractAclProvider Class<?> getProcessDomainObjectClass() boolean hasPermission(Authentication authentication, Object domainObject) void setObjectIdentityRetrievalStrategy(ObjectIdentityRetrievalStrategy objectIdentityRetrievalStrategy) void setProcessConfigAttribute(String processConfigAttribute) void setProcessDomainObjectClass(Class<?> processDomainObjectClass) void setSidRetrievalStrategy(SidRetrievalStrategy sidRetrievalStrategy) boolean supports(Class<?> clazz) This implementation supports any type of class, because it does not query the presented secure object. boolean supports(ConfigAttribute attribute) Indicates whether this AfterInvocationProvider is able to participate in a decision involving the passed ConfigAttribute.
From class java.lang.Object Object clone() boolean equals(Object arg0) void finalize() final Class<?> getClass() int hashCode() final void notify() final void notifyAll() String toString() final void wait() final void wait(long arg0, int arg1) final void wait(long arg0)
From interface org.springframework.security.access.AfterInvocationProvider abstract Object decide(Authentication authentication, Object object, Collection<ConfigAttribute> attributes, Object returnedObject) abstract boolean supports(Class<?> clazz) Indicates whether the AfterInvocationProvider is able to provide "after invocation" processing for the indicated secured object type. abstract boolean supports(ConfigAttribute attribute) Indicates whether this AfterInvocationProvider is able to participate in a decision involving the passed ConfigAttribute.