List of usage examples for org.springframework.security.acls.model AuditableAcl setEntriesInheriting
void setEntriesInheriting(boolean entriesInheriting);
From source file:ubic.gemma.security.authorization.acl.AclAdvice.java
/** * Creates the acl_permission object and the acl_object_identity object. * //w w w .j a va 2 s . co m * @param object The domain object. * @return true if an ACL was created, false otherwise. */ private AuditableAcl addOrUpdateAcl(Securable object, Acl parentAcl) { if (object.getId() == null) { log.warn("ACLs cannot be added or updated on non-persistent object: " + object); return null; } ObjectIdentity oi = makeObjectIdentity(object); AuditableAcl acl = null; boolean exists = false; try { acl = (AuditableAcl) aclService.readAclById(oi); // throws exception if not found exists = true; } catch (NotFoundException nfe) { acl = (AuditableAcl) aclService.createAcl(oi); } if (exists) { /* * Could be findOrCreate, or could be a second pass that will let us fill in parent ACLs for associated * objects missed earlier in a persist cycle. E.g. BioMaterial */ try { maybeSetParentACL(object, acl, parentAcl); return acl; } catch (NotFoundException nfe) { log.error(nfe, nfe); } } Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); if (authentication == null) { throw new IllegalStateException("No authentication found in the security context"); } Object p = authentication.getPrincipal(); if (p == null) { throw new IllegalStateException("Principal was null for " + authentication); } Sid sid = new PrincipalSid(p.toString()); boolean isAdmin = SecurityServiceImpl.isUserAdmin(); boolean isRunningAsAdmin = SecurityServiceImpl.isRunningAsAdmin(); boolean isAnonymous = SecurityServiceImpl.isUserAnonymous(); boolean objectIsAUser = User.class.isAssignableFrom(object.getClass()); boolean objectIsAGroup = UserGroup.class.isAssignableFrom(object.getClass()); /* * The only case where we absolutely disallow inheritance is for SecuredNotChild. */ boolean inheritFromParent = parentAcl != null && !SecuredNotChild.class.isAssignableFrom(object.getClass()); boolean missingParent = parentAcl == null & SecuredChild.class.isAssignableFrom(object.getClass()); if (missingParent) { // This easily happens, it's not a problem as we go back through to recheck objects. log.debug("Object should have a parent during ACL setup: " + object); } acl.setEntriesInheriting(inheritFromParent); /* * The logic here is: if we're supposed to inherit from the parent, but none is provided (can easily happen), we * have to put in ACEs. Same goes if we're not supposed to inherit. Objects which are not supposed to have their * own ACLs (SecurableChild) */ if (!inheritFromParent || parentAcl == null) { /* * All objects must have administration permissions on them. */ if (log.isDebugEnabled()) log.debug("Making administratable by GROUP_ADMIN: " + oi); grant(acl, BasePermission.ADMINISTRATION, new GrantedAuthoritySid(new GrantedAuthorityImpl(AuthorityConstants.ADMIN_GROUP_AUTHORITY))); /* * Let agent read anything */ if (log.isDebugEnabled()) log.debug("Making readable by GROUP_AGENT: " + oi); grant(acl, BasePermission.READ, new GrantedAuthoritySid(new GrantedAuthorityImpl(AuthorityConstants.AGENT_GROUP_AUTHORITY))); /* * If admin, and the object is not a user or group, make it readable by anonymous. */ boolean makeAnonymousReadable = isAdmin && !objectIsAUser && !objectIsAGroup; if (makeAnonymousReadable) { if (log.isDebugEnabled()) log.debug("Making readable by IS_AUTHENTICATED_ANONYMOUSLY: " + oi); grant(acl, BasePermission.READ, new GrantedAuthoritySid( new GrantedAuthorityImpl(AuthorityConstants.IS_AUTHENTICATED_ANONYMOUSLY))); } /* * Don't add more permissions for the administrator. But whatever it is, the person who created it can * read/write it. User will only be anonymous if they are registering (AFAIK) */ if (!isAdmin && !isAnonymous) { if (log.isDebugEnabled()) log.debug("Giving read/write permissions on " + oi + " to " + sid); grant(acl, BasePermission.READ, sid); /* * User who created something can edit it. */ grant(acl, BasePermission.WRITE, sid); } } /* * If the object is a user, make sure that user gets permissions even if the current user is not the same! In * fact, user creation runs with GROUP_RUN_AS_ADMIN privileges. */ if (objectIsAUser) { User u = (User) object; if (((PrincipalSid) sid).getPrincipal().equals(u.getUserName())) { /* * This case should actually never happen. "we" are the user who is creating this user. We've already * adding the READ/WRITE permissions above. */ log.warn("Somehow...a user created themselves: " + oi); } else { if (log.isDebugEnabled()) log.debug("New User: given read/write permissions on " + oi + " to " + sid); if (isRunningAsAdmin) { /* * Important: we expect this to normally be the case. */ sid = new PrincipalSid(u.getUserName()); } /* * See org.springframework.security.acls.domain.AclAuthorizationStrategy. */ grant(acl, BasePermission.READ, sid); grant(acl, BasePermission.WRITE, sid); } } // Treating Analyses as special case. It'll inherit ACL from ExpressionExperiment // If aclParent is passed to this method we overwrite it. if (SingleExperimentAnalysis.class.isAssignableFrom(object.getClass())) { SingleExperimentAnalysis experimentAnalysis = (SingleExperimentAnalysis) object; BioAssaySet bioAssaySet = experimentAnalysis.getExperimentAnalyzed(); ObjectIdentity oi_temp = makeObjectIdentity(bioAssaySet); try { parentAcl = aclService.readAclById(oi_temp); } catch (NotFoundException nfe) { // This is possible if making an EESubSet is part of the transaction. parentAcl = aclService.createAcl(oi_temp); } acl.setEntriesInheriting(true); acl.setParent(parentAcl); // Owner of the experiment owns analyses even if administrator ran them. sid = parentAcl.getOwner(); } acl.setOwner(sid); // this might be the 'user' now. assert !acl.equals(parentAcl); if (parentAcl != null && inheritFromParent) { if (log.isTraceEnabled()) log.trace("Setting parent to: " + parentAcl + " <--- " + acl); acl.setParent(parentAcl); } return (AuditableAcl) aclService.updateAcl(acl); }