https://stackoverflow.com/questions/22781288
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianShort answer: No, permissions are not hierarchical out-of-the-box.
If you want them to be hierarchical, you need make a custom implementation of PermissionEvaluator or similar.
spring security acl administration permission
-
25-06-2023 - |
Question
I try to enforce a new app with spring security ACL and after some reading I have a problem with permissions for every ACE. I was expecting that if a principal has the administration permission (16) over an domain object instance to be able to access a method with this annotation:
@Override
@PostFilter("hasPermission(filterObject, 'READ')")
public List<Project> findAllProjects() {
TypedQuery<Project> tq = em.createNamedQuery("Project:findAll", Project.class);
List<Project> projects = tq.getResultList();
return projects;
}
but
@PostFilter("hasPermission(filterObject, 'ADMINISTRATION') OR hasPermissions(filterObject,'READ')")
it seems to work.
So, my question is : Aren't these permissions hierarchical?
I mean, why do I have to explicit specify admin permission on a method that has read permission? Isn't admin "bigger" than read ?
I was thinking that if I grant to a user an admin permission that hte user will be able to access all the methods/objects protected with "lower" operations (C,R,U,D) than admin.
Solution
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
