extract permission mask comparison for subclasses to override

Author: Metavirulent

acl/src/main/java/org/springframework/security/acls/domain/DefaultPermissionGrantingStrategy.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -87,7 +87,7 @@ public boolean isGranted(Acl acl, List<Permission> permission, List<Sid> sids,
 
 				for (AccessControlEntry ace : aces) {
 
-					if ((ace.getPermission().getMask() == p.getMask())
+					if (comparePermissionMasks(ace, p)
 							&& ace.getSid().equals(sid)) {
 						// Found a matching ACE, so its authorization decision will
 						// prevail
@@ -142,4 +142,25 @@ public boolean isGranted(Acl acl, List<Permission> permission, List<Sid> sids,
 		}
 	}
 
+	/**
+	 * Compares an ACE Permission to the given Permission.
+	 * By default, we compare the Permission masks for exact match.
+	 * Subclasses of this strategy can override this behavior and implement
+	 * more sophisticated comparisons, e.g. a bitwise comparison for ACEs that grant access.
+	 * <pre>{@code
+	 * if (ace.isGranting() && p.getMask() != 0) {
+	 *    return (ace.getPermission().getMask() & p.getMask()) != 0;
+	 * } else {
+	 *    return ace.getPermission().getMask() == p.getMask();
+	 * }
+	 * }</pre>
+	 * 
+	 * @param ace the ACE from the Acl holding the mask.
+	 * @param p the Permission we are checking against.
+	 * @return true, if the respective masks are considered to be equal.
+	 */
+	protected boolean comparePermissionMasks(AccessControlEntry ace, Permission p) {
+		return ace.getPermission().getMask() == p.getMask();
+	}
+
 }