1

I'm developing an application using spring 4.0.6 and Hibernate 4.2.21. I have an entity as follow:

public class A {
   @OneToMany(mappedBy="parent", fetch = FetchType.LAZY)
   private Set<A> children = new HashSet<A>(0);

   @ManyToOne(fetch = FetchType.EAGER)
   private A parent;

   /*
    *
    * Getters And Setters
    */

}

In another words, A entity is a tree. Now I want to secure all nodes of tree. Consider the following tree:

Node-1   
   Node-1.1
      Node-1.1.1
      Node-1.1.2
   Node-1.2
   Node-1.3
Node-2
Node-3
   Node-3.1
   Node-3.2
   Node-3.3

I secure node as follow:

@PostFilter("hasPermission(filterObject, 'read')")
public List<A> getAll() {}

This code secure nodes in first level(Node-1, Node-2 & Node-3). Now we want to get a user read acccess in Node-1, Node-1.1 & Node-1-2 nodes. How do we implement it?

Morteza Malvandi
  • 1,656
  • 7
  • 30
  • 73

1 Answers1

1

You can use ACL inheritance. You'll have to add an ObjectIdentity for each child. Note that acl_object_identity table has parent_object and entries_inheriting attributes.

Unrelated, if you are using application level filtering of large collections you should think about creating specifications which join with ACL entities so you can utilise database filtering which would improve the performance.

NikolaB
  • 4,706
  • 3
  • 30
  • 38
  • I add all nodes to acl tables, But What is `parent_object` and `entries_inheriting` roles? – Morteza Malvandi Apr 20 '16 at 13:56
  • `parent_object` is the ID of first-level node for all second-level nodes and `entries_inheriting` must be set to true if you want them to have the same permissions as the parent. For the third-level nodes you have to specify ID of the second-level node from which are they inheriting. – NikolaB Apr 20 '16 at 14:27
  • When you use `@PostFilter("hasPermission(filterObject, 'read')")`, Acl only check first-level nodes and it does not work with child. Is it a good idea to define `@PostFilter("hasPermission(filterObject, 'read')")` at entity class for `getNodes` method? – Morteza Malvandi Apr 23 '16 at 03:48