I try to enforce a new app with spring security ACL and after some reading I have a problem with permissions for every ACE. I was expecting that if a principal has the administration permission (16) over an domain object instance to be able to access a method with this annotation:
@Override
@PostFilter("hasPermission(filterObject, 'READ')")
public List<Project> findAllProjects() {
TypedQuery<Project> tq = em.createNamedQuery("Project:findAll", Project.class);
List<Project> projects = tq.getResultList();
return projects;
}
but
@PostFilter("hasPermission(filterObject, 'ADMINISTRATION') OR hasPermissions(filterObject,'READ')")
it seems to work.
So, my question is : Aren't these permissions hierarchical?
I mean, why do I have to explicit specify admin permission on a method that has read permission? Isn't admin "bigger" than read ?
I was thinking that if I grant to a user an admin permission that hte user will be able to access all the methods/objects protected with "lower" operations (C,R,U,D) than admin.
Short answer: No, permissions are not hierarchical out-of-the-box.
If you want them to be hierarchical, you need make a custom implementation of PermissionEvaluator
or similar.