How do I get a list of domain objects a user has permissions for with Spring Security ACLs?

Question

I'm just starting to use Spring Security ACL. I want to obtain a list of domain objects that a user has (any) permissions for.

For example, the system has 1000s of 'buildings', a user may have access to any number of these buildings. When the user logs in I want to present them with a list of the building they have permissions for.

Something along the lines of myAclService.getObjectsForUser('[email protected]', Building.class)

I'm starting to think that ACLs don't work in that direction, but it must be a common challenge so there must at least be a pattern for how to achieve this alongside ACL without duplicating data.

Any thoughts welcome, thanks!

Answer 1

I believe you are right that what's provided in Spring Security re. ACL is more from the object perspective than from the subject (principal) perspective.

You can check the SQL code of all AclServices from Spring Security, specifically JdbcAclService and JdbcMutableAclService.