Spring Security ACLs on List

Question

I have a question about spring security acl.

I have my class I have a preautorize methods and works well

@PreAuthorize("hasPermission(#test, write) or hasAnyRole('ROLE_ADMIN', 'ROLE_SUPERADMIN')")
    public void update(Test test) {
        testRepository.save(test);
        updateDeviceAcl(test);
    }

But when I want do same thing on list:

@PreAuthorize("hasPermission(#test, write) or hasAnyRole('ROLE_ADMIN', 'ROLE_SUPERADMIN')")
    public void update(List<Test> test) {
        testRepository.save(test);
        updateDeviceAcl(test);
    }

It trow exception:

java.lang.NoSuchMethodException: java.util.ArrayList.getId()

Is it possible do it this way? I fully understand, that method

ArrayList.getId()

should be something like that

test.get(i).getId();

Thanks for answer

Answer 1

If the authorization only makes sense to be given to the full list, then to do this you would have to wrap the list in a list wrapper that contains a getId() method:

public class ListWrapper { 
    private List<Test> tests;

    public Serializable getId() {
        ... some id ... 
    }
}

To validate one by one, you need to annotate a method only for one test, and not the method with the loop:

public void update(List<Test> tests) {
    for (Test test : tests) {
        update(test);
    }
}

@PreAuthorize("hasPermission(#test, write) or hasAnyRole('ROLE_ADMIN', 'ROLE_SUPERADMIN')")
public void update(Test test) {
    testRepository.save(test);
    updateDeviceAcl(test);
}

If you are not using aspectJ compile time or load time weaving to apply the aspects, then put these two methods in separate beans and inject one into the other. Normal JDK or CGLIB proxies will not apply @PreAuthorize (or any other aspect) on reentrant calls.