All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.acegisecurity.afterinvocation.BasicAclEntryAfterInvocationProvider Maven / Gradle / Ivy

There is a newer version: 1.0.7
Show newest version
/* Copyright 2004, 2005 Acegi Technology Pty Limited
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.acegisecurity.afterinvocation;

import java.util.Iterator;

import org.acegisecurity.AccessDeniedException;
import org.acegisecurity.AcegiMessageSource;
import org.acegisecurity.Authentication;
import org.acegisecurity.ConfigAttribute;
import org.acegisecurity.ConfigAttributeDefinition;
import org.acegisecurity.acl.AclEntry;
import org.acegisecurity.acl.AclManager;
import org.acegisecurity.acl.basic.BasicAclEntry;
import org.acegisecurity.acl.basic.SimpleAclEntry;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.context.MessageSource;
import org.springframework.context.MessageSourceAware;
import org.springframework.context.support.MessageSourceAccessor;
import org.springframework.util.Assert;


/**
 * 

* Given a domain object instance returned from a secure object invocation, * ensures the principal has appropriate permission as defined by the {@link * AclManager}. *

* *

* The AclManager is used to retrieve the access control list * (ACL) permissions associated with a domain object instance for the current * Authentication object. This class is designed to process * {@link AclEntry}s that are subclasses of {@link * org.acegisecurity.acl.basic.BasicAclEntry} only. Generally these are * obtained by using the {@link org.acegisecurity.acl.basic.BasicAclProvider}. *

* *

* This after invocation provider will fire if any {@link * ConfigAttribute#getAttribute()} matches the {@link * #processConfigAttribute}. The provider will then lookup the ACLs from the * AclManager and ensure the principal is {@link * org.acegisecurity.acl.basic.BasicAclEntry#isPermitted(int)} for at least * one of the {@link #requirePermission}s. *

* *

* Often users will setup a BasicAclEntryAfterInvocationProvider * with a {@link #processConfigAttribute} of AFTER_ACL_READ and a * {@link #requirePermission} of SimpleAclEntry.READ. These are * also the defaults. *

* *

* If the principal does not have sufficient permissions, an * AccessDeniedException will be thrown. *

* *

* The AclManager is allowed to return any implementations of * AclEntry it wishes. However, this provider will only be able * to validate against BasicAclEntrys, and thus access will be * denied if no AclEntry is of type BasicAclEntry. *

* *

* If the provided returnObject is null, permission * will always be granted and null will be returned. *

* *

* All comparisons and prefixes are case sensitive. *

*/ public class BasicAclEntryAfterInvocationProvider implements AfterInvocationProvider, InitializingBean, MessageSourceAware { //~ Static fields/initializers ============================================= protected static final Log logger = LogFactory.getLog(BasicAclEntryAfterInvocationProvider.class); //~ Instance fields ======================================================== private AclManager aclManager; protected MessageSourceAccessor messages = AcegiMessageSource.getAccessor(); private String processConfigAttribute = "AFTER_ACL_READ"; private int[] requirePermission = {SimpleAclEntry.READ}; //~ Methods ================================================================ public void afterPropertiesSet() throws Exception { Assert.notNull(processConfigAttribute, "A processConfigAttribute is mandatory"); Assert.notNull(aclManager, "An aclManager is mandatory"); Assert.notNull(messages, "A message source must be set"); if ((requirePermission == null) || (requirePermission.length == 0)) { throw new IllegalArgumentException( "One or more requirePermission entries is mandatory"); } } public Object decide(Authentication authentication, Object object, ConfigAttributeDefinition config, Object returnedObject) throws AccessDeniedException { Iterator iter = config.getConfigAttributes(); while (iter.hasNext()) { ConfigAttribute attr = (ConfigAttribute) iter.next(); if (this.supports(attr)) { // Need to make an access decision on this invocation if (returnedObject == null) { // AclManager interface contract prohibits nulls // As they have permission to null/nothing, grant access if (logger.isDebugEnabled()) { logger.debug("Return object is null, skipping"); } return null; } AclEntry[] acls = aclManager.getAcls(returnedObject, authentication); if ((acls == null) || (acls.length == 0)) { throw new AccessDeniedException(messages.getMessage( "BasicAclEntryAfterInvocationProvider.noPermission", new Object[] {authentication.getName(), returnedObject}, "Authentication {0} has NO permissions at all to the domain object {1}")); } for (int i = 0; i < acls.length; i++) { // Locate processable AclEntrys if (acls[i] instanceof BasicAclEntry) { BasicAclEntry processableAcl = (BasicAclEntry) acls[i]; // See if principal has any of the required permissions for (int y = 0; y < requirePermission.length; y++) { if (processableAcl.isPermitted(requirePermission[y])) { if (logger.isDebugEnabled()) { logger.debug( "Principal DOES have permission to return object: " + returnedObject + " due to ACL: " + processableAcl.toString()); } return returnedObject; } } } } // No permissions match throw new AccessDeniedException(messages.getMessage( "BasicAclEntryAfterInvocationProvider.insufficientPermission", new Object[] {authentication.getName(), returnedObject}, "Authentication {0} has ACL permissions to the domain object, but not the required ACL permission to the domain object {1}")); } } return returnedObject; } public AclManager getAclManager() { return aclManager; } public String getProcessConfigAttribute() { return processConfigAttribute; } public int[] getRequirePermission() { return requirePermission; } public void setAclManager(AclManager aclManager) { this.aclManager = aclManager; } public void setMessageSource(MessageSource messageSource) { this.messages = new MessageSourceAccessor(messageSource); } public void setProcessConfigAttribute(String processConfigAttribute) { this.processConfigAttribute = processConfigAttribute; } public void setRequirePermission(int[] requirePermission) { this.requirePermission = requirePermission; } public boolean supports(ConfigAttribute attribute) { if ((attribute.getAttribute() != null) && attribute.getAttribute().equals(getProcessConfigAttribute())) { return true; } else { return false; } } /** * This implementation supports any type of class, because it does not * query the presented secure object. * * @param clazz the secure object * * @return always true */ public boolean supports(Class clazz) { return true; } }




© 2015 - 2024 Weber Informatics LLC | Privacy Policy