I'm trying to use Spring Security's readAclsById method in JdbcMutableAclService to retrieve ACLs that are filtered by the SIDs. However, ACLs that are not applicable to the passed-in SIDs are returned.
I'm creating the ACL entry using the username:
public void add(Object domainObject, String username, List<Permission> permissions) {
MutableAcl acl;
ObjectIdentity oid = objectIdentityRetrievalStrategy
.getObjectIdentity(domainObject);
Sid receipient = new PrincipalSid(username);
try {
acl = (MutableAcl) aclService.readAclById(oid);
} catch (NotFoundException nfe) {
acl = aclService.createAcl(oid);
}
for(Permission permission:permissions) {
acl.insertAce(acl.getEntries().size(), permission, receipient, true);
}
aclService.updateAcl(acl);
}
And I'm retrieving ACLs via the Authentication object:
List<Sid> sids = sidRetrievalStrategy.getSids(authentication);
List<ObjectIdentity> identities = new ArrayList<>(domainObjects.size());
for (Object domainObject : domainObjects) {
identities.add(objectIdentityRetrievalStrategy.getObjectIdentity(domainObject));
}
Map<ObjectIdentity, Acl> acls = aclService.readAclsById(identities, sids);
//see what permissions the user has for these objects
for (Map.Entry<ObjectIdentity, Acl> entry : acls.entrySet()) {
Acl acl = entry.getValue();
//entries that are not applicable to the SIDs are returned
List<AccessControlEntry> entries = acl.getEntries();
}
If I log into another username and try to retrieve the ACLs via readAclsById, I also get AccessControlEntry values that belonged to the other usernames. Am I using AclService correctly?
I found the answer after some digging around the source code: the default implementation uses BasicLookupStrategy which ignores the SIDs by default.