How can I paginate with Spring Security, Hibernate and row level ACL

Question

I'm reading about Spring Security and wonder whether it's possible to use Spring ACL together with hibernate and pagination. The resulting SQL is surely scary but possible to be auto-generated. It's even possible to use hierarchical ACL if the database supports recursive query evaluation.

Using a post filter is no solution since it breaks pagination and is an unnecessary overhead compared to ACL filtering inside the database.

So I actually have the pieces to build a solution. I want to know whether somebody has already done it.

Links:

• Similar question from 2012 without response
• link list about this question

Answer 1

Yes there are solutions to your challenge. The field is called dynamic data masking and dynamic data filtering.

The idea is that you will have a proxy sit between your application and database. The proxy will apply the filtering such that only relevant authorized data is returned to the app hence keeping pagination intact.

Have a look at:

• GreenSQL
• Axiomatics Data Access Filter MD (demo)

Answer 2

The way I dealing with this is first by getting a list of IDs my user has access to with the solution I gave here.

I then uses this list of IDs to do a query IN with that list.