Tim Kettering wrote:
It sure can. The filtering takes place when a Collection is returned from a secured method. For example, in the Contacts sample we now have a ContactManager method: public List getAll(). This just returns all Contacts in the database. We then have the following defined against the MethodSecurityInterceptor:
Like say, if I made a method call to return all items in the database between dates A and B. I would need to run the security check on the collection after the data load to ensure that only the allowed objects are loaded.
sample.contact.ContactManager.getAll=ROLE_USER,AFTER_ACL_COLLECTION_READ
ROLE_USER is a "before" invocation voter, as you'd know from the normal RoleVoter implementation.
AFTER_ACL_COLLECTION_READ calls the following "after" invocation voter:
<bean id="afterAclCollectionRead" class="net.sf.acegisecurity.afterinvocation.BasicAclEntryAfterInvocationCollectionFilteringProvider">
<property name="aclManager"><ref local="aclManager"/></property>
<property name="requirePermission">
<list>
<value>1</value> <!-- SimpleAclEntry.ADMINISTER -->
<value>2</value> <!-- SimpleAclEntry.READ -->
</list>
</property>
</bean>
This filters the returned Collection so it only contains elements for which an ACL "administer" or "read" permission exists (BTW if someone has time to write something or show me a better way of defining an int[] using static variables, it would be great).
Best regards Ben
------------------------------------------------------- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 _______________________________________________ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
