List of usage examples for org.springframework.security.acls.model Acl getOwner
Sid getOwner();
From source file:sample.contact.web.admin.MenuAdminController.java
@RequestMapping("/admin/menu.html") public ModelAndView menu(@RequestParam("menu") Long id) { Map<String, Object> model = new HashMap<String, Object>(); model.put("menu", id); ObjectIdentity identity = new ObjectIdentityImpl(Menu.class.getCanonicalName(), id); Acl acl = aclService.readAclById(identity); model.put("owner", acl.getOwner()); model.put("entries", acl.getEntries()); return new ModelAndView("admin/menu.html", model); }
From source file:com.cedac.security.acls.mongo.MongoAclServiceTests.java
@Test public void readAclById_withParentAcl_shouldLoadTheAcls() { Acl acl = fixture .readAclById(new ObjectIdentityImpl("com.cedac.smartresidence.profile.domain.Room", "1.1")); assertNotNull(acl);/* ww w . j a v a 2s . c o m*/ assertEquals("com.cedac.smartresidence.profile.domain.Room", acl.getObjectIdentity().getType()); assertEquals("1.1", acl.getObjectIdentity().getIdentifier()); assertNotNull(acl.getParentAcl()); assertEquals(new PrincipalSid("admin@cedac.com"), acl.getOwner()); assertEquals(true, acl.isEntriesInheriting()); assertEquals(0, acl.getEntries().size()); assertEquals("com.cedac.smartresidence.profile.domain.Home", acl.getParentAcl().getObjectIdentity().getType()); assertEquals("1", acl.getParentAcl().getObjectIdentity().getIdentifier()); assertNull(acl.getParentAcl().getParentAcl()); assertEquals(new PrincipalSid("admin@cedac.com"), acl.getParentAcl().getOwner()); assertEquals(true, acl.getParentAcl().isEntriesInheriting()); assertEquals(6, acl.getParentAcl().getEntries().size()); }
From source file:com.cedac.security.acls.mongo.MongoAclServiceTests.java
@Test public void readAclById_shouldLoadTheAcl() { Acl acl = fixture.readAclById(new ObjectIdentityImpl("com.cedac.smartresidence.profile.domain.Home", "1")); assertNotNull(acl);/*w w w.j a va 2 s . co m*/ assertEquals("com.cedac.smartresidence.profile.domain.Home", acl.getObjectIdentity().getType()); assertEquals("1", acl.getObjectIdentity().getIdentifier()); assertNull(acl.getParentAcl()); assertEquals(new PrincipalSid("admin@cedac.com"), acl.getOwner()); assertEquals(true, acl.isEntriesInheriting()); assertEquals(6, acl.getEntries().size()); assertEquals(0, acl.getEntries().get(0).getId()); assertEquals(new GrantedAuthoritySid("ROLE_ADMIN"), acl.getEntries().get(0).getSid()); assertEquals(BasePermission.READ, acl.getEntries().get(0).getPermission()); assertEquals(true, acl.getEntries().get(0).isGranting()); assertSame(acl, acl.getEntries().get(0).getAcl()); assertEquals(false, AuditableAccessControlEntry.class.cast(acl.getEntries().get(0)).isAuditSuccess()); assertEquals(true, AuditableAccessControlEntry.class.cast(acl.getEntries().get(0)).isAuditFailure()); assertEquals(1, acl.getEntries().get(1).getId()); assertEquals(new GrantedAuthoritySid("ROLE_ADMIN"), acl.getEntries().get(1).getSid()); assertEquals(BasePermission.WRITE, acl.getEntries().get(1).getPermission()); assertEquals(true, acl.getEntries().get(1).isGranting()); assertSame(acl, acl.getEntries().get(1).getAcl()); assertEquals(false, AuditableAccessControlEntry.class.cast(acl.getEntries().get(1)).isAuditSuccess()); assertEquals(true, AuditableAccessControlEntry.class.cast(acl.getEntries().get(1)).isAuditFailure()); assertEquals(2, acl.getEntries().get(2).getId()); assertEquals(new GrantedAuthoritySid("ROLE_ADMIN"), acl.getEntries().get(2).getSid()); assertEquals(BasePermission.ADMINISTRATION, acl.getEntries().get(2).getPermission()); assertEquals(true, acl.getEntries().get(2).isGranting()); assertSame(acl, acl.getEntries().get(2).getAcl()); assertEquals(false, AuditableAccessControlEntry.class.cast(acl.getEntries().get(2)).isAuditSuccess()); assertEquals(true, AuditableAccessControlEntry.class.cast(acl.getEntries().get(2)).isAuditFailure()); assertEquals(3, acl.getEntries().get(3).getId()); assertEquals(new PrincipalSid("mauro.franceschini@cedac.com"), acl.getEntries().get(3).getSid()); assertEquals(BasePermission.READ, acl.getEntries().get(3).getPermission()); assertEquals(true, acl.getEntries().get(3).isGranting()); assertSame(acl, acl.getEntries().get(3).getAcl()); assertEquals(false, AuditableAccessControlEntry.class.cast(acl.getEntries().get(3)).isAuditSuccess()); assertEquals(true, AuditableAccessControlEntry.class.cast(acl.getEntries().get(3)).isAuditFailure()); assertEquals(4, acl.getEntries().get(4).getId()); assertEquals(new PrincipalSid("mauro.franceschini@cedac.com"), acl.getEntries().get(4).getSid()); assertEquals(BasePermission.WRITE, acl.getEntries().get(4).getPermission()); assertEquals(true, acl.getEntries().get(4).isGranting()); assertSame(acl, acl.getEntries().get(4).getAcl()); assertEquals(false, AuditableAccessControlEntry.class.cast(acl.getEntries().get(4)).isAuditSuccess()); assertEquals(true, AuditableAccessControlEntry.class.cast(acl.getEntries().get(4)).isAuditFailure()); assertEquals(5, acl.getEntries().get(5).getId()); assertEquals(new PrincipalSid("other@cedac.com"), acl.getEntries().get(5).getSid()); assertEquals(BasePermission.READ, acl.getEntries().get(5).getPermission()); assertEquals(true, acl.getEntries().get(5).isGranting()); assertSame(acl, acl.getEntries().get(5).getAcl()); assertEquals(false, AuditableAccessControlEntry.class.cast(acl.getEntries().get(5)).isAuditSuccess()); assertEquals(true, AuditableAccessControlEntry.class.cast(acl.getEntries().get(5)).isAuditFailure()); }
From source file:com.cedac.security.acls.mongo.MongoAclServiceTests.java
@Test public void readAclById_withDoubleParentAcl_shouldLoadTheAcls() { Acl acl = fixture .readAclById(new ObjectIdentityImpl("com.cedac.smartresidence.profile.domain.Device", "1.1.1")); assertNotNull(acl);/*from ww w . j a va 2 s .c o m*/ assertEquals("com.cedac.smartresidence.profile.domain.Device", acl.getObjectIdentity().getType()); assertEquals("1.1.1", acl.getObjectIdentity().getIdentifier()); assertNotNull(acl.getParentAcl()); assertEquals(new PrincipalSid("admin@cedac.com"), acl.getOwner()); assertEquals(true, acl.isEntriesInheriting()); assertEquals(0, acl.getEntries().size()); assertEquals("com.cedac.smartresidence.profile.domain.Room", acl.getParentAcl().getObjectIdentity().getType()); assertEquals("1.1", acl.getParentAcl().getObjectIdentity().getIdentifier()); assertNotNull(acl.getParentAcl().getParentAcl()); assertEquals(new PrincipalSid("admin@cedac.com"), acl.getParentAcl().getOwner()); assertEquals(true, acl.getParentAcl().isEntriesInheriting()); assertEquals(0, acl.getParentAcl().getEntries().size()); assertEquals("com.cedac.smartresidence.profile.domain.Home", acl.getParentAcl().getParentAcl().getObjectIdentity().getType()); assertEquals("1", acl.getParentAcl().getParentAcl().getObjectIdentity().getIdentifier()); assertNull(acl.getParentAcl().getParentAcl().getParentAcl()); assertEquals(new PrincipalSid("admin@cedac.com"), acl.getParentAcl().getParentAcl().getOwner()); assertEquals(true, acl.getParentAcl().getParentAcl().isEntriesInheriting()); assertEquals(6, acl.getParentAcl().getParentAcl().getEntries().size()); }
From source file:com.cedac.security.acls.mongo.MongoAclServiceTests.java
@Test public void readAclById_withSid_shouldLoadTheAcl() { Acl acl = fixture.readAclById(new ObjectIdentityImpl("com.cedac.smartresidence.profile.domain.Home", "1"), Arrays.asList(new GrantedAuthoritySid("ROLE_ADMIN"), new PrincipalSid("other@cedac.com"))); assertNotNull(acl);/* ww w . ja va 2 s.c o m*/ assertEquals("com.cedac.smartresidence.profile.domain.Home", acl.getObjectIdentity().getType()); assertEquals("1", acl.getObjectIdentity().getIdentifier()); assertNull(acl.getParentAcl()); assertEquals(new PrincipalSid("admin@cedac.com"), acl.getOwner()); assertEquals(true, acl.isEntriesInheriting()); assertEquals(6, acl.getEntries().size()); assertEquals(true, acl.isSidLoaded( Arrays.asList(new GrantedAuthoritySid("ROLE_ADMIN"), new PrincipalSid("other@cedac.com")))); assertEquals(0, acl.getEntries().get(0).getId()); assertEquals(new GrantedAuthoritySid("ROLE_ADMIN"), acl.getEntries().get(0).getSid()); assertEquals(BasePermission.READ, acl.getEntries().get(0).getPermission()); assertEquals(true, acl.getEntries().get(0).isGranting()); assertSame(acl, acl.getEntries().get(0).getAcl()); assertEquals(false, AuditableAccessControlEntry.class.cast(acl.getEntries().get(0)).isAuditSuccess()); assertEquals(true, AuditableAccessControlEntry.class.cast(acl.getEntries().get(0)).isAuditFailure()); assertEquals(1, acl.getEntries().get(1).getId()); assertEquals(new GrantedAuthoritySid("ROLE_ADMIN"), acl.getEntries().get(1).getSid()); assertEquals(BasePermission.WRITE, acl.getEntries().get(1).getPermission()); assertEquals(true, acl.getEntries().get(1).isGranting()); assertSame(acl, acl.getEntries().get(1).getAcl()); assertEquals(false, AuditableAccessControlEntry.class.cast(acl.getEntries().get(1)).isAuditSuccess()); assertEquals(true, AuditableAccessControlEntry.class.cast(acl.getEntries().get(1)).isAuditFailure()); assertEquals(2, acl.getEntries().get(2).getId()); assertEquals(new GrantedAuthoritySid("ROLE_ADMIN"), acl.getEntries().get(2).getSid()); assertEquals(BasePermission.ADMINISTRATION, acl.getEntries().get(2).getPermission()); assertEquals(true, acl.getEntries().get(2).isGranting()); assertSame(acl, acl.getEntries().get(2).getAcl()); assertEquals(false, AuditableAccessControlEntry.class.cast(acl.getEntries().get(2)).isAuditSuccess()); assertEquals(true, AuditableAccessControlEntry.class.cast(acl.getEntries().get(2)).isAuditFailure()); assertEquals(3, acl.getEntries().get(3).getId()); assertEquals(new PrincipalSid("mauro.franceschini@cedac.com"), acl.getEntries().get(3).getSid()); assertEquals(BasePermission.READ, acl.getEntries().get(3).getPermission()); assertEquals(true, acl.getEntries().get(3).isGranting()); assertSame(acl, acl.getEntries().get(3).getAcl()); assertEquals(false, AuditableAccessControlEntry.class.cast(acl.getEntries().get(3)).isAuditSuccess()); assertEquals(true, AuditableAccessControlEntry.class.cast(acl.getEntries().get(3)).isAuditFailure()); assertEquals(4, acl.getEntries().get(4).getId()); assertEquals(new PrincipalSid("mauro.franceschini@cedac.com"), acl.getEntries().get(4).getSid()); assertEquals(BasePermission.WRITE, acl.getEntries().get(4).getPermission()); assertEquals(true, acl.getEntries().get(4).isGranting()); assertSame(acl, acl.getEntries().get(4).getAcl()); assertEquals(false, AuditableAccessControlEntry.class.cast(acl.getEntries().get(4)).isAuditSuccess()); assertEquals(true, AuditableAccessControlEntry.class.cast(acl.getEntries().get(4)).isAuditFailure()); assertEquals(5, acl.getEntries().get(5).getId()); assertEquals(new PrincipalSid("other@cedac.com"), acl.getEntries().get(5).getSid()); assertEquals(BasePermission.READ, acl.getEntries().get(5).getPermission()); assertEquals(true, acl.getEntries().get(5).isGranting()); assertSame(acl, acl.getEntries().get(5).getAcl()); assertEquals(false, AuditableAccessControlEntry.class.cast(acl.getEntries().get(5)).isAuditSuccess()); assertEquals(true, AuditableAccessControlEntry.class.cast(acl.getEntries().get(5)).isAuditFailure()); }
From source file:ubic.gemma.core.security.authorization.acl.AclAdvice.java
@Override protected void createOrUpdateAclSpecialCases(MutableAcl acl, Acl parentAcl, Sid sid, Securable object) { // Treating Analyses as special case. It'll inherit ACL from ExpressionExperiment // If aclParent is passed to this method we overwrite it. if (SingleExperimentAnalysis.class.isAssignableFrom(object.getClass())) { SingleExperimentAnalysis experimentAnalysis = (SingleExperimentAnalysis) object; BioAssaySet bioAssaySet = experimentAnalysis.getExperimentAnalyzed(); ObjectIdentity oi_temp = this.makeObjectIdentity(bioAssaySet); parentAcl = this.getAclService().readAclById(oi_temp); if (parentAcl == null) { // This is possible if making an EESubSet is part of the transaction. parentAcl = this.getAclService().createAcl(oi_temp); }/* ww w. j a va 2 s .c om*/ acl.setEntriesInheriting(true); acl.setParent(parentAcl); //noinspection UnusedAssignment //Owner of the experiment owns analyses even if administrator ran them. sid = parentAcl.getOwner(); } }
From source file:ubic.gemma.security.authorization.acl.AclAdvice.java
/** * Creates the acl_permission object and the acl_object_identity object. * /*from w ww .j a va 2 s . co m*/ * @param object The domain object. * @return true if an ACL was created, false otherwise. */ private AuditableAcl addOrUpdateAcl(Securable object, Acl parentAcl) { if (object.getId() == null) { log.warn("ACLs cannot be added or updated on non-persistent object: " + object); return null; } ObjectIdentity oi = makeObjectIdentity(object); AuditableAcl acl = null; boolean exists = false; try { acl = (AuditableAcl) aclService.readAclById(oi); // throws exception if not found exists = true; } catch (NotFoundException nfe) { acl = (AuditableAcl) aclService.createAcl(oi); } if (exists) { /* * Could be findOrCreate, or could be a second pass that will let us fill in parent ACLs for associated * objects missed earlier in a persist cycle. E.g. BioMaterial */ try { maybeSetParentACL(object, acl, parentAcl); return acl; } catch (NotFoundException nfe) { log.error(nfe, nfe); } } Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); if (authentication == null) { throw new IllegalStateException("No authentication found in the security context"); } Object p = authentication.getPrincipal(); if (p == null) { throw new IllegalStateException("Principal was null for " + authentication); } Sid sid = new PrincipalSid(p.toString()); boolean isAdmin = SecurityServiceImpl.isUserAdmin(); boolean isRunningAsAdmin = SecurityServiceImpl.isRunningAsAdmin(); boolean isAnonymous = SecurityServiceImpl.isUserAnonymous(); boolean objectIsAUser = User.class.isAssignableFrom(object.getClass()); boolean objectIsAGroup = UserGroup.class.isAssignableFrom(object.getClass()); /* * The only case where we absolutely disallow inheritance is for SecuredNotChild. */ boolean inheritFromParent = parentAcl != null && !SecuredNotChild.class.isAssignableFrom(object.getClass()); boolean missingParent = parentAcl == null & SecuredChild.class.isAssignableFrom(object.getClass()); if (missingParent) { // This easily happens, it's not a problem as we go back through to recheck objects. log.debug("Object should have a parent during ACL setup: " + object); } acl.setEntriesInheriting(inheritFromParent); /* * The logic here is: if we're supposed to inherit from the parent, but none is provided (can easily happen), we * have to put in ACEs. Same goes if we're not supposed to inherit. Objects which are not supposed to have their * own ACLs (SecurableChild) */ if (!inheritFromParent || parentAcl == null) { /* * All objects must have administration permissions on them. */ if (log.isDebugEnabled()) log.debug("Making administratable by GROUP_ADMIN: " + oi); grant(acl, BasePermission.ADMINISTRATION, new GrantedAuthoritySid(new GrantedAuthorityImpl(AuthorityConstants.ADMIN_GROUP_AUTHORITY))); /* * Let agent read anything */ if (log.isDebugEnabled()) log.debug("Making readable by GROUP_AGENT: " + oi); grant(acl, BasePermission.READ, new GrantedAuthoritySid(new GrantedAuthorityImpl(AuthorityConstants.AGENT_GROUP_AUTHORITY))); /* * If admin, and the object is not a user or group, make it readable by anonymous. */ boolean makeAnonymousReadable = isAdmin && !objectIsAUser && !objectIsAGroup; if (makeAnonymousReadable) { if (log.isDebugEnabled()) log.debug("Making readable by IS_AUTHENTICATED_ANONYMOUSLY: " + oi); grant(acl, BasePermission.READ, new GrantedAuthoritySid( new GrantedAuthorityImpl(AuthorityConstants.IS_AUTHENTICATED_ANONYMOUSLY))); } /* * Don't add more permissions for the administrator. But whatever it is, the person who created it can * read/write it. User will only be anonymous if they are registering (AFAIK) */ if (!isAdmin && !isAnonymous) { if (log.isDebugEnabled()) log.debug("Giving read/write permissions on " + oi + " to " + sid); grant(acl, BasePermission.READ, sid); /* * User who created something can edit it. */ grant(acl, BasePermission.WRITE, sid); } } /* * If the object is a user, make sure that user gets permissions even if the current user is not the same! In * fact, user creation runs with GROUP_RUN_AS_ADMIN privileges. */ if (objectIsAUser) { User u = (User) object; if (((PrincipalSid) sid).getPrincipal().equals(u.getUserName())) { /* * This case should actually never happen. "we" are the user who is creating this user. We've already * adding the READ/WRITE permissions above. */ log.warn("Somehow...a user created themselves: " + oi); } else { if (log.isDebugEnabled()) log.debug("New User: given read/write permissions on " + oi + " to " + sid); if (isRunningAsAdmin) { /* * Important: we expect this to normally be the case. */ sid = new PrincipalSid(u.getUserName()); } /* * See org.springframework.security.acls.domain.AclAuthorizationStrategy. */ grant(acl, BasePermission.READ, sid); grant(acl, BasePermission.WRITE, sid); } } // Treating Analyses as special case. It'll inherit ACL from ExpressionExperiment // If aclParent is passed to this method we overwrite it. if (SingleExperimentAnalysis.class.isAssignableFrom(object.getClass())) { SingleExperimentAnalysis experimentAnalysis = (SingleExperimentAnalysis) object; BioAssaySet bioAssaySet = experimentAnalysis.getExperimentAnalyzed(); ObjectIdentity oi_temp = makeObjectIdentity(bioAssaySet); try { parentAcl = aclService.readAclById(oi_temp); } catch (NotFoundException nfe) { // This is possible if making an EESubSet is part of the transaction. parentAcl = aclService.createAcl(oi_temp); } acl.setEntriesInheriting(true); acl.setParent(parentAcl); // Owner of the experiment owns analyses even if administrator ran them. sid = parentAcl.getOwner(); } acl.setOwner(sid); // this might be the 'user' now. assert !acl.equals(parentAcl); if (parentAcl != null && inheritFromParent) { if (log.isTraceEnabled()) log.trace("Setting parent to: " + parentAcl + " <--- " + acl); acl.setParent(parentAcl); } return (AuditableAcl) aclService.updateAcl(acl); }
From source file:ubic.gemma.security.SecurityServiceImpl.java
@Override public Map<Securable, Boolean> areOwnedByCurrentUser(Collection<? extends Securable> securables) { Map<Securable, Boolean> result = new HashMap<Securable, Boolean>(); Map<ObjectIdentity, Securable> objectIdentities = getObjectIdentities(securables); if (objectIdentities.isEmpty()) return result; /*//w w w. j a v a 2 s . co m * Take advantage of fast bulk loading of ACLs. Other methods sohuld adopt this if they turn out to be heavily * used/slow. */ Map<ObjectIdentity, Acl> acls = aclService .readAclsById(new Vector<ObjectIdentity>(objectIdentities.keySet())); String currentUsername = userManager.getCurrentUsername(); boolean isAdmin = isUserAdmin(); for (ObjectIdentity oi : acls.keySet()) { Acl a = acls.get(oi); Sid owner = a.getOwner(); result.put(objectIdentities.get(oi), false); if (isAdmin || (owner != null && owner instanceof PrincipalSid && ((PrincipalSid) owner).getPrincipal().equals(currentUsername))) { result.put(objectIdentities.get(oi), true); } } return result; }
From source file:ubic.gemma.security.SecurityServiceImpl.java
@Override @Secured("ACL_SECURABLE_READ") public Sid getOwner(Securable s) { ObjectIdentity oi = this.objectIdentityRetrievalStrategy.getObjectIdentity(s); Acl a = this.aclService.readAclById(oi); return a.getOwner(); }
From source file:ubic.gemma.security.SecurityServiceImpl.java
@Override @Secured("ACL_SECURABLE_COLLECTION_READ") public Map<Securable, Sid> getOwners(Collection<? extends Securable> securables) { Map<Securable, Sid> result = new HashMap<Securable, Sid>(); Map<ObjectIdentity, Securable> objectIdentities = getObjectIdentities(securables); if (securables.isEmpty()) return result; /*/* ww w .j a v a 2 s . co m*/ * Take advantage of fast bulk loading of ACLs. Other methods sohuld adopt this if they turn out to be heavily * used/slow. */ Map<ObjectIdentity, Acl> acls = aclService .readAclsById(new Vector<ObjectIdentity>(objectIdentities.keySet())); for (ObjectIdentity oi : acls.keySet()) { Acl a = acls.get(oi); Sid owner = a.getOwner(); if (owner == null) result.put(objectIdentities.get(oi), null); else result.put(objectIdentities.get(oi), owner); } return result; }