org.acegisecurity.acl.basic.GrantedAuthorityEffectiveAclsResolver Maven / Gradle / Ivy
/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.acegisecurity.acl.basic;
import org.acegisecurity.Authentication;
import org.acegisecurity.GrantedAuthority;
import org.acegisecurity.acl.AclEntry;
import org.acegisecurity.userdetails.UserDetails;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import java.util.List;
import java.util.Vector;
/**
* Simple implementation of {@link EffectiveAclsResolver}.This implementation does not need to understand the
* "recipient" types presented in a BasicAclEntry
because it merely delegates to the detected {@link
* Authentication#getPrincipal()} or {@link Authentication#getAuthorities()}. The principal object or granted
* authorities object has its Object.equals(recipient)
method called to make the decision as to whether
* the recipient in the BasicAclEntry
is the same as the principal or granted authority.
* This class should prove an adequate ACLs resolver if you're using standard Acegi Security classes. This is
* because the typical Authentication
token is UsernamePasswordAuthenticationToken
, which
* for its principal
is usually a String
. The GrantedAuthorityImpl
is typically
* used for granted authorities, which tests for equality based on a String
. This means
* BasicAclDao
s simply need to return a String
to represent the recipient. If you use
* non-String
objects, you will probably require an alternative EffectiveAclsResolver
.
*
* @author Ben Alex
* @version $Id: GrantedAuthorityEffectiveAclsResolver.java 1496 2006-05-23 13:38:33Z benalex $
*/
public class GrantedAuthorityEffectiveAclsResolver implements EffectiveAclsResolver {
//~ Static fields/initializers =====================================================================================
private static final Log logger = LogFactory.getLog(GrantedAuthorityEffectiveAclsResolver.class);
//~ Methods ========================================================================================================
public AclEntry[] resolveEffectiveAcls(AclEntry[] allAcls, Authentication filteredBy) {
if ((allAcls == null) || (allAcls.length == 0)) {
return null;
}
List list = new Vector();
if (logger.isDebugEnabled()) {
logger.debug("Locating AclEntry[]s (from set of " + ((allAcls == null) ? 0 : allAcls.length)
+ ") that apply to Authentication: " + filteredBy);
}
for (int i = 0; i < allAcls.length; i++) {
if (!(allAcls[i] instanceof BasicAclEntry)) {
continue;
}
Object recipient = ((BasicAclEntry) allAcls[i]).getRecipient();
// Allow the Authentication's getPrincipal to decide whether
// the presented recipient is "equal" (allows BasicAclDaos to
// return Strings rather than proper objects in simple cases)
if (filteredBy.getPrincipal().equals(recipient)) {
if (logger.isDebugEnabled()) {
logger.debug("Principal matches AclEntry recipient: " + recipient);
}
list.add(allAcls[i]);
} else if (filteredBy.getPrincipal() instanceof UserDetails
&& ((UserDetails) filteredBy.getPrincipal()).getUsername().equals(recipient)) {
if (logger.isDebugEnabled()) {
logger.debug("Principal (from UserDetails) matches AclEntry recipient: " + recipient);
}
list.add(allAcls[i]);
} else {
// No direct match against principal; try each authority.
// As with the principal, allow each of the Authentication's
// granted authorities to decide whether the presented
// recipient is "equal"
GrantedAuthority[] authorities = filteredBy.getAuthorities();
if ((authorities == null) || (authorities.length == 0)) {
if (logger.isDebugEnabled()) {
logger.debug(
"Did not match principal and there are no granted authorities, so cannot compare with recipient: "
+ recipient);
}
continue;
}
for (int k = 0; k < authorities.length; k++) {
if (authorities[k].equals(recipient)) {
if (logger.isDebugEnabled()) {
logger.debug("GrantedAuthority: " + authorities[k] + " matches recipient: " + recipient);
}
list.add(allAcls[i]);
}
}
}
}
// return null if appropriate (as per interface contract)
if (list.size() > 0) {
if (logger.isDebugEnabled()) {
logger.debug("Returning effective AclEntry array with " + list.size() + " elements");
}
return (BasicAclEntry[]) list.toArray(new BasicAclEntry[] {});
} else {
if (logger.isDebugEnabled()) {
logger.debug("Returning null AclEntry array as zero effective AclEntrys found");
}
return null;
}
}
}