Thank you!

Thank you. To be honest I prefer simplicity and never really liked ACLs. But if you need high customization that's I think the only real choice you have with Spring Security.

Hi William. Definitely. It is even recommended. In my tutorials I avoid doing this just to focus on the Spring Security part. But in a practical scenario you should do this. Thank you for the question :)

Hi. Thanks for the question. It really depends on the case which is the best way. All your suggestion could be a good choice for registering the users depending on the scenario :)

@@laurspilca I desided to use MutableAclServie to manage permissions but, i have some strange case with mutableAclService.createAcl(oi), its adds anonymousUser in to acl_object_identity table in every case, do you have some experiance in it? maybe its not the good place to discuss it but, if you know please let me know. I have the question on stackOverflow also with name "Spring Security ACL allways sets anonymousUser as Owner "

@@DavitJibuti Hey. No, I'm not sure I simply know what the problem is here. I would have to investigate it myself. I usually debug on the framework's code when I get into such a situation.

True. But I don't think I had any intention for that post filter to show only the user's products. That post filter clearly only checks on the authority. If you want to check on the user, you can always take the principal from the security context and validate that the product belongs to that user.

Hi. filterObject is a fixed name that always represents the object inside the array or collection the method gets as a parameter.

Hi Marawan, Great question. It's actually not a problem because findAll() will only return now the allowed records. Observe that @PostFilter only filters the data, it doesn't throw any exception. For the client is completely transparent. They will see on the next page the records they have access to - if any - if not, there will be no next page. I hope this answers your question :) Thanks again!

Hi @@laurspilca, thanks for replying out, I am not taking about findall() where pagination happened at front end, I am talking about the findAll(pageabl) with the spring jpa, because let's say my page size is 50 but I am only allowed to view 10 records from the result , my endpoints will return only 10, rather than 50 what if the 50 items are not in permission? I haven't tried that , I am still new the ACL .

@@MarwanAmeen89 Ah. I think I understand your question now. It's actually about @PostFilter, not about ACL. But the rule I know is that @PostFilter can only be used on a Collection or an array. The method you refer to returns a different object which is neither Collection, nor array: Pageable. So applying @PostFilter on it will fail with an exception. But, what can you do is actually move the @PostFilter one more layer to the left, in the service. And then you can filter on the collection returned by the getContent() method of the Pageable object.

@@MarwanAmeen89 Hello again. I have tried to share my opinion with this video. I hope it helps :)_ kzbin.info/www/bejne/q5SWlYqkf7h_Y5o

Not really. I personally avoid it.

so what are the alternates. I have a requirement for it

@@syednoorullahshah9194 It depends on the requirement. I can't tell you what the best solution is for a problem whose statement I don't know.

Maybe a bit too late, but try to keep GlobalMethodSecurityConfiguration in seperate configuration file and keep acl related configurations in another file

Hello. I'll create later a lesson in the Spring Security stream about global method security. I hope that one will clarify for you how these annotations work. Stay tuned.

@@laurspilca okay