Java tutorial
/* * Copyright 2012-2015 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package com.cedac.security.acls.domain; import org.springframework.security.acls.domain.AuditLogger; import org.springframework.security.acls.model.AccessControlEntry; import org.springframework.security.acls.model.Acl; import org.springframework.security.acls.model.NotFoundException; import org.springframework.security.acls.model.Permission; import org.springframework.security.acls.model.PermissionGrantingStrategy; import org.springframework.security.acls.model.Sid; import org.springframework.util.Assert; import java.util.List; /** * Implementation of PermissionGrantingStrategy that check bitmasks. * * @author mauro.franceschini@cedac.com * @since 1.0.0 */ public class BitMaskPermissionGrantingStrategy implements PermissionGrantingStrategy { private final transient AuditLogger auditLogger; public BitMaskPermissionGrantingStrategy(AuditLogger auditLogger) { Assert.notNull(auditLogger, "auditLogger cannot be null"); this.auditLogger = auditLogger; } @Override public boolean isGranted(Acl acl, List<Permission> permission, List<Sid> sids, boolean administrativeMode) { final List<AccessControlEntry> aces = acl.getEntries(); AccessControlEntry firstRejection = null; for (Permission p : permission) { for (Sid sid : sids) { // Attempt to find exact match for this permission mask and SID boolean scanNextSid = true; for (AccessControlEntry ace : aces) { //Bit-wise comparison if (containsPermission(ace.getPermission().getMask(), p.getMask()) && ace.getSid().equals(sid)) { // Found a matching ACE, so its authorization decision will prevail if (ace.isGranting()) { // Success if (!administrativeMode) { auditLogger.logIfNeeded(true, ace); } return true; } // Failure for this permission, so stop search // We will see if they have a different permission // (this permission is 100% rejected for this SID) if (firstRejection == null) { // Store first rejection for auditing reasons firstRejection = ace; } scanNextSid = false; // helps break the loop break; // exit aces loop } } if (!scanNextSid) { break; // exit SID for loop (now try next permission) } } } if (firstRejection != null) { // We found an ACE to reject the request at this point, as no // other ACEs were found that granted a different permission if (!administrativeMode) { auditLogger.logIfNeeded(false, firstRejection); } return false; } // No matches have been found so far if (acl.isEntriesInheriting() && (acl.getParentAcl() != null)) { // We have a parent, so let them try to find a matching ACE return acl.getParentAcl().isGranted(permission, sids, false); } else { // We either have no parent, or we're the uppermost parent throw new NotFoundException("Unable to locate a matching ACE for passed permissions and SIDs"); } } private boolean containsPermission(int mask, int permission) { return (mask & permission) == permission; } }