Grails Spring Security ACL domain object method secured

Question

My question is : Is that possible to secure a domain object method and even dynamic methods like findByName?

It works very well on service methods but I can't make it work on a domain instance method or domain static method.

class Dummy {
    string name

    @PostFilter("hasPermission(filterObject, read)")
    static List<Dummy> listDummies(){
        Dummy.list();
    }
}

When called from a controller, the listDummies returns all dummies even when no user is connected.

How could I do for this to work?

Thanks in advance for the help you could provide.

Answer 1

No, this isn't possible. The annotations work by triggering the creation of a proxy around the class instance you're calling. This is most convenient for Grails services since they're automatically registered as Spring beans, so the annotations are detected and they get proxied. You make the method call on the proxy, and it does the ACL check and only invokes the real method if access is allowed.

But with static methods, or dynamic Groovy methods, or methods in classes that aren't registered as Spring beans, this proxying can't happen. For this example, create an annotated service method. You can still leave all of the code in the domain class, or even use dynamic finders, but the important thing is that the access is done through the proxied service. Once that check happens, you can implement the logic however and wherever you want.