Marco Mistroni wrote:
for both contactManagerSecurity and TransactionInterceptor.
I assume they have something to do with autohrization using
MethodInterceptor, but i cannot figure out the meaning, for example,
of
sample.contact.Contact:1 for object_identity column in
acl_object_identity, and i can't understand what is the purpose of the
acl_permission table, in particular the mask column and acl_object
identity
Can anyone give me some explanation on how the acl_permission and
acl_object_identity should be populated?
Hi Marco
Have you had a change to review the reference documentation at
http://acegisecurity.sourceforge.net/docbook/acegi.html#acls?
If we take the sample data:
INSERT INTO acl_object_identity VALUES (1, 'corp.DomainObject:1', null,
'net.sf.acegisecurity.acl.basic.SimpleAclEntry');
INSERT INTO acl_object_identity VALUES (2, 'corp.DomainObject:2', 1,
'net.sf.acegisecurity.acl.basic.SimpleAclEntry');
INSERT INTO acl_object_identity VALUES (3, 'corp.DomainObject:3', 1,
'net.sf.acegisecurity.acl.basic.SimpleAclEntry');
INSERT INTO acl_object_identity VALUES (4, 'corp.DomainObject:4', 1,
'net.sf.acegisecurity.acl.basic.SimpleAclEntry');
INSERT INTO acl_object_identity VALUES (5, 'corp.DomainObject:5', 3,
'net.sf.acegisecurity.acl.basic.SimpleAclEntry');
INSERT INTO acl_object_identity VALUES (6, 'corp.DomainObject:6', 3,
'net.sf.acegisecurity.acl.basic.SimpleAclEntry');
INSERT INTO acl_permission VALUES (null, 1, 'ROLE_SUPERVISOR', 1);
INSERT INTO acl_permission VALUES (null, 2, 'ROLE_SUPERVISOR', 0);
INSERT INTO acl_permission VALUES (null, 2, 'marissa', 2);
INSERT INTO acl_permission VALUES (null, 3, 'scott', 14);
INSERT INTO acl_permission VALUES (null, 6, 'scott', 1);
What is basically happening is acl_object_identity represents a domain
object instance. corp.DomainObject:1 is the Java classname + ":" +
identifier of the domain object instance. So that inheritance works, the
acl_object_identity table identifies the parent acl_object_identity
record (or null if it has no parent). Accordingly, in the above example,
DomainObject #2 and #3 and #4 all share the same parent, DomainObject #1.
There is a one-to-many relationship between acl_object_identity and
acl_permission. ie one acl_object_identity has many acl_permissions. In
the example above, DomainObject #2 has two acl_permissions (for
"ROLE_SUPERVISOR" and "marissa").
The acl_permission table specifies which acl_object_identity record it
applies to, the "recipient" (usually a username or role name), and the
integer mask that applies. So if we take the last acl_permission example
above, it applies to acl_object_identity #6, and gives "scott" the
permissions identified by integer mask 1.
Hope this clears things up.
Ben
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
