Does Spring Security Acl support class-level permissions? For example, let's suppose I have an Asset class, and I want to allow read permissions to all instances of the Asset class to any user with role ROLE_USER. As long as I could see, ObjectIdentityImpl only accepts object instances.
Thanks
The Spring Security ACL is not really handy for this. I would suggest you use a pre-authorize annotation instead:
@PreAuthorize("hasRole('ROLE_USER')")
public List<Asset> getAllAssets();
Make sure you have pre- and post-annotations enabled in your configuration.
The org.springframework.security.acls.model.ObjectIdentity is one of the core Spring Security ACL interfaces representing the identity of an individual domain object to secure. It imposes type and identifier properties. If you need class level permissions, you can use e.g. "Class" as a type and actual class name as an identifier (e.g. "Asset" or "my.package.Asset").
Depending on a concrete scenario, it may be also needed to implement org.springframework.security.acls.model.ObjectIdentityRetrievalStrategy and org.springframework.security.acls.model.ObjectIdentityGenerator interfaces accordingly.
