March, Andres wrote:
I was wondering if you guys have ever considered an “after” method execution security interceptor. The reason I ask is that I have a voter that needs to retrieve the ACL entries for an object but it needs the object to get its object identity and hence its ACL entries. For writes, I know the identity and can query for the ACL before the method executes. For reads however, I need to retrieve the object to know its identity since I just have some criteria passed from the client. The method intercepted knows the type of object to fetch but the voter does not. In addition, it would be better to fetch the object only once.
The inability of the voter to know which type (class) of object it is securing is the source of my problem. It would be nice if Acegi was configurable to provide advice after the method execution. IMHO, I think this support would require a big change in the current architecture. The way I was going to get around this is to create an interceptor that placed after advice on the method I wanted to secure and as a last step passed the return object as a param into a method that had the acegi interceptor on it. Can you say HACK.
Hi Andres
Around the time of designing the ACL package I recall someone in the Spring community was editing the domain objects returned from a method invocation, nulling values that the user did not have access to. I felt this sort of usage would be too application-specific to offer as an architecture-level component. This is why none of the ACL package is used directly by other Acegi Security packages.
Because the AclManager can be called from wherever you like, including an after advice, the present design accommodates use cases such as yours as well as the "nulling unauthorized values" case mentioned above. I don't think it a hack to add your own AfterReturningAdvice that gets the Authentication from the ContextHolder (which will contain the correct Authentication if you have the MethodSecurityInterceptor perform some check before the method is invoked) and presents it to the AclManager, throwing an AccessDeniedException if appropriate. In a webapp, the SecurityEnforcementFilter will detect the AccessDeniedException and return a 403.
Best regards Ben
------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php _______________________________________________ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
