diff --git a/acl/src/main/java/org/springframework/security/acls/domain/DefaultPermissionGrantingStrategy.java b/acl/src/main/java/org/springframework/security/acls/domain/DefaultPermissionGrantingStrategy.java index 65d63a4c33..642dd04ebc 100644 --- a/acl/src/main/java/org/springframework/security/acls/domain/DefaultPermissionGrantingStrategy.java +++ b/acl/src/main/java/org/springframework/security/acls/domain/DefaultPermissionGrantingStrategy.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2016 the original author or authors. + * Copyright 2002-2018 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -87,7 +87,7 @@ public class DefaultPermissionGrantingStrategy implements PermissionGrantingStra for (AccessControlEntry ace : aces) { - if ((ace.getPermission().getMask() == p.getMask()) + if (comparePermissionMasks(ace, p) && ace.getSid().equals(sid)) { // Found a matching ACE, so its authorization decision will // prevail @@ -142,4 +142,25 @@ public class DefaultPermissionGrantingStrategy implements PermissionGrantingStra } } + /** + * Compares an ACE Permission to the given Permission. + * By default, we compare the Permission masks for exact match. + * Subclasses of this strategy can override this behavior and implement + * more sophisticated comparisons, e.g. a bitwise comparison for ACEs that grant access. + * 
{@code
+	 * if (ace.isGranting() && p.getMask() != 0) {
+	 *    return (ace.getPermission().getMask() & p.getMask()) != 0;
+	 * } else {
+	 *    return ace.getPermission().getMask() == p.getMask();
+	 * }
+	 * }
+ * + * @param ace the ACE from the Acl holding the mask. + * @param p the Permission we are checking against. + * @return true, if the respective masks are considered to be equal. + */ + protected boolean comparePermissionMasks(AccessControlEntry ace, Permission p) { + return ace.getPermission().getMask() == p.getMask(); + } + }