Spring Security获取某个用户能ACL操作的对象ID

Spring Security里只找到了检查某个用户能否操作某个对象的方法，如hasPermission
没找到获取用户能够对某类对象进行ACL操作的ID列表的方法

时间紧，只好自己用sql从ACL表里查了

select distinct a.object_id_identity from acl_object_identity a 
inner join acl_entry b on a.id=b.acl_object_identity 
--检查ACL权限MASK
and b.mask in (:mask) 
--检查className
and a.object_id_class=(select ID as class_id from acl_class where class=:className)
inner join acl_sid c on b.sid=c.id
and 
--用户权限或者角色权限都可以
((c.principal=1 and c.sid=:username) or (c.principal=0 and c.sid in :roles))

:mask见BasePermission.xxx.getMask()
:roles可以从session里取

Collection<GrantedAuthority> authorities=SecurityContextHolder.getContext().getAuthentication().getAuthorities()

其实在我的项目里role被扩展为permission了
SpringSecurity里的User/Role两层结构肯定是不够用的