Description
Kenan Sevindik (Migrated from SEC-2816) said:
ObjectIdentityGenerator and ObjectIdentityRetrievalStrategy interfaces are provided to create ObjectIdentity instances and their default implementation ObjectIdentityRetrievalStrategyImpl is used by AclPermissionEvaluator during permission check. However, BasicLookupStrategy and JdbcAclService classes don't use those interfaces to create ObjectIdentity instances, instead they directly instantiate from ObjectIdentityImpl.
Hence, when we create a custom ObjectIdentityGenerator and ObjectIdentityRetrievalStrategy implementation in which we create ObjectIdentity instances from our custom ObjectIdentity implementation class and configure AclPermissionEvaluator with it, our permission checks fail because of ObjectIdentity instances created from different types, as Acl entries of a domain object are cached with ObjectIdentity as cache entry key, and they cannot be found because of different ObjectIdentity implementation classes.
IMO, it would be better to make BasicLookupStrategy and JdbcAclService classes depend on ObjectIdentityCreator and ObjectIdentityRetrievalStrategy interfaces to create ObjectIdentity instances instead of directly creating by calling new ObjectIdentityImpl(..).