List of usage examples for org.springframework.security.acls.model AccessControlEntry getPermission
Permission getPermission();
From source file:org.collectionspace.services.authorization.spring.SpringPermissionManager.java
/** * deletePermissions deletes given permission on given object id for given sid * @param oid// w ww . ja v a 2s . c o m * @param permission * @param sid */ //non-javadoc NOTE: if sid is null it would remove ACEs for all sid(s) private void deletePermissions(ObjectIdentity oid, Permission permission, Sid sid) /** throws AclDataAccessException */ { int i = 0; MutableAcl acl = getAcl(oid); List<AccessControlEntry> acel = acl.getEntries(); int aces = acel.size(); if (log.isDebugEnabled()) { log.debug("deletePermissions: for acl oid=" + oid.toString() + " found " + aces + " aces"); } ArrayList<Integer> foundAces = new ArrayList<Integer>(); Iterator iter = acel.listIterator(); //not possible to delete while iterating while (iter.hasNext()) { AccessControlEntry ace = (AccessControlEntry) iter.next(); if (sid != null) { if (ace.getSid().equals(sid) && ace.getPermission().equals(permission)) { foundAces.add(i); } } else { if (ace.getPermission().equals(permission)) { foundAces.add(i); } } i++; } for (int j = foundAces.size() - 1; j >= 0; j--) { //the following operation does not work while iterating in the while loop acl.deleteAce(foundAces.get(j)); //autobox } provider.getProviderAclService().updateAcl(acl); if (log.isDebugEnabled()) { log.debug("deletePermissions: for acl oid=" + oid.toString() + " deleted " + i + " aces"); } }
From source file:org.jtalks.jcommune.service.security.acl.AclGroupPermissionEvaluator.java
/** * Check if this <tt>permission</tt> is granted for specified <tt>sid</tt> * * @param sid sid to check permission for it * @param ace entry with security information (for sids) * @param permission permission to check * @param isCheckAllowedGrant flag that indicates what type of grant need to * be checked - 'allowed' (true) or 'restricted' (false) * @return <code>true</code> if this entry has specified <tt>permission</tt> * and type of grant./*from www .j av a 2 s .c o m*/ */ private boolean isGrantedForSid(Sid sid, AccessControlEntry ace, Permission permission, boolean isCheckAllowedGrant) { return ace.isGranting() == isCheckAllowedGrant && permission.equals(ace.getPermission()) && ((UniversalSid) sid).getSidId().equals(((UniversalSid) ace.getSid()).getSidId()); }
From source file:org.jtalks.jcommune.service.security.AclGroupPermissionEvaluator.java
/** * Check if this <tt>permission</tt> is granted for specified <tt>sid</tt> * * @param sid sid to check permission for it * @param ace entry with security information (for sids) * @param permission permission to check * @param isCheckAllowedGrant flag that indicates what type of grant need to * be checked - 'allowed' (true) or 'restricted' (false) * @return <code>true</code> if this entry has specified <tt>permission</tt> * and type of grant.//from w ww . j ava 2 s . c o m */ private boolean isGrantedForSid(Sid sid, AccessControlEntry ace, Permission permission, boolean isCheckAllowedGrant) { return ((UniversalSid) sid).getSidId().equals(((UniversalSid) ace.getSid()).getSidId()) && permission.equals(ace.getPermission()) && (ace.isGranting() == isCheckAllowedGrant); }
From source file:org.jtalks.jcommune.service.security.PermissionManagerTest.java
private void givenGroupAces(Entity entity, JtalksPermission... permissions) { long entityId = entity.getId(); AuditLogger auditLogger = new ConsoleAuditLogger(); AclAuthorizationStrategy aclAuthorizationStrategy = new org.springframework.security.acls.domain.AclAuthorizationStrategyImpl( new GrantedAuthorityImpl("some_role")); ObjectIdentity entityIdentity = new AclUtil(null).createIdentity(entityId, entity.getClass().getSimpleName()); ExtendedMutableAcl mutableAcl = mock(ExtendedMutableAcl.class); List<AccessControlEntry> accessControlEntries = new ArrayList<>(); Acl acl = new AclImpl(entityIdentity, entityId + 1, aclAuthorizationStrategy, auditLogger); long lastGroupId = 1; for (int i = 0; i < permissions.length; i++) { for (int j = 0, count = RandomUtils.nextInt(20) + 10; j < count; j++) { Group group = randomGroup(lastGroupId++); groups.add(group);//from www. j a va 2s . c om this.permissions.add(permissions[i]); groupAces.add( buildGroupAce(entity, permissions[i], (i % 2 == 1), acl, new UserGroupSid(group.getId()))); } AccessControlEntry controlEntry = mock(AccessControlEntry.class); when(controlEntry.getPermission()).thenReturn(permissions[i]); when(controlEntry.getSid()).thenReturn(UserSid.createAnonymous()); when(controlEntry.isGranting()).thenReturn((i % 2 == 1)); accessControlEntries.add(controlEntry); } when(mutableAcl.getEntries()).thenReturn(accessControlEntries); when(aclUtil.getAclFor(entity)).thenReturn(mutableAcl); }
From source file:ubic.gemma.security.authorization.acl.AclAdvice.java
/** * When setting the parent, we check to see if we can delete the ACEs on the 'child', if any. This is because we * want permissions to be managed by the parent. Check that the ACEs on the child are exactly equivalent to the ones * on the parent.//w ww .j a va2 s . c o m * * @param parentAcl -- careful with the order! * @param object * @param acl * @param true if ACEs were cleared. */ private boolean maybeClearACEsOnChild(Securable object, MutableAcl childAcl, Acl parentAcl) { int aceCount = childAcl.getEntries().size(); if (aceCount == 0) { if (parentAcl.getEntries().size() == 0) { throw new IllegalStateException("Either the child or the parent has to have ACEs"); } return false; } if (parentAcl.getEntries().size() == aceCount) { boolean oktoClearACEs = true; // check for exact match of all ACEs for (AccessControlEntry ace : parentAcl.getEntries()) { boolean found = false; for (AccessControlEntry childAce : childAcl.getEntries()) { if (childAce.getPermission().equals(ace.getPermission()) && childAce.getSid().equals(ace.getSid())) { found = true; break; } } if (!found) { oktoClearACEs = false; break; } } if (oktoClearACEs) { if (log.isTraceEnabled()) log.trace("Erasing ACEs from child " + object); while (childAcl.getEntries().size() > 0) { childAcl.deleteAce(0); } return true; } } return false; }
From source file:ubic.gemma.security.SecurityServiceImpl.java
/** * Method removes just one acl and then informs calling method the number of acls to remove * /*from ww w .ja va2 s. c o m*/ * @param object The object to remove the permissions from * @param permission The permission to remove * @param authority e.g. "GROUP_JOESLAB" * @return Number of acl records that need removing */ private int removeOneGrantedAuthority(Securable object, Permission permission, String authority) { int numberAclsToRemove = 0; MutableAcl acl = getAcl(object); if (acl == null) { throw new IllegalArgumentException("makePrivate is only valid for objects that have an ACL"); } List<Integer> toremove = new Vector<Integer>(); for (int i = 0; i < acl.getEntries().size(); i++) { AccessControlEntry entry = acl.getEntries().get(i); if (!entry.getPermission().equals(permission)) { continue; } Sid sid = entry.getSid(); if (sid instanceof GrantedAuthoritySid) { if (((GrantedAuthoritySid) sid).getGrantedAuthority().equals(authority)) { toremove.add(i); } } } if (toremove.isEmpty()) { // this can happen commonly, no big deal. if (log.isDebugEnabled()) log.debug("No changes, didn't remove: " + authority); } else if (toremove.size() >= 1) { numberAclsToRemove = toremove.size(); // take the first acl acl.deleteAce(toremove.iterator().next()); aclService.updateAcl(acl); } return numberAclsToRemove; }