Java tutorial
/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package org.acegisecurity.afterinvocation; import org.acegisecurity.AccessDeniedException; import org.acegisecurity.AcegiMessageSource; import org.acegisecurity.Authentication; import org.acegisecurity.ConfigAttribute; import org.acegisecurity.ConfigAttributeDefinition; import org.acegisecurity.acls.AclService; import org.acegisecurity.acls.Permission; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.springframework.context.MessageSource; import org.springframework.context.MessageSourceAware; import org.springframework.context.support.MessageSourceAccessor; import java.util.Iterator; /** * <p>Given a domain object instance returned from a secure object invocation, ensures the principal has * appropriate permission as defined by the {@link AclService}.</p> * <p>The <code>AclService</code> is used to retrieve the access control list (ACL) permissions associated with a * domain object instance for the current <code>Authentication</code> object.</p> * <p>This after invocation provider will fire if any {@link ConfigAttribute#getAttribute()} matches the {@link * #processConfigAttribute}. The provider will then lookup the ACLs from the <code>AclService</code> and ensure the * principal is {@link org.acegisecurity.acls.Acl#isGranted(org.acegisecurity.acls.Permission[], org.acegisecurity.acls.sid.Sid[], boolean) Acl.isGranted(Permission[], Sid[], boolean)} * when presenting the {@link #requirePermission} array to that method.</p> * <p>Often users will setup an <code>AclEntryAfterInvocationProvider</code> with a {@link * #processConfigAttribute} of <code>AFTER_ACL_READ</code> and a {@link #requirePermission} of * <code>BasePermission.READ</code>. These are also the defaults.</p> * <p>If the principal does not have sufficient permissions, an <code>AccessDeniedException</code> will be thrown.</p> * <p>If the provided <code>returnObject</code> is <code>null</code>, permission will always be granted and * <code>null</code> will be returned.</p> * <p>All comparisons and prefixes are case sensitive.</p> */ public class AclEntryAfterInvocationProvider extends AbstractAclProvider implements MessageSourceAware { //~ Static fields/initializers ===================================================================================== protected static final Log logger = LogFactory.getLog(AclEntryAfterInvocationProvider.class); //~ Instance fields ================================================================================================ protected MessageSourceAccessor messages = AcegiMessageSource.getAccessor(); //~ Constructors =================================================================================================== public AclEntryAfterInvocationProvider(AclService aclService, Permission[] requirePermission) { super(aclService, "AFTER_ACL_READ", requirePermission); } //~ Methods ======================================================================================================== public Object decide(Authentication authentication, Object object, ConfigAttributeDefinition config, Object returnedObject) throws AccessDeniedException { Iterator iter = config.getConfigAttributes(); while (iter.hasNext()) { ConfigAttribute attr = (ConfigAttribute) iter.next(); if (this.supports(attr)) { // Need to make an access decision on this invocation if (returnedObject == null) { // AclManager interface contract prohibits nulls // As they have permission to null/nothing, grant access if (logger.isDebugEnabled()) { logger.debug("Return object is null, skipping"); } return null; } if (!getProcessDomainObjectClass().isAssignableFrom(returnedObject.getClass())) { if (logger.isDebugEnabled()) { logger.debug("Return object is not applicable for this provider, skipping"); } return returnedObject; } if (hasPermission(authentication, returnedObject)) { return returnedObject; } else { if (logger.isDebugEnabled()) { logger.debug("Denying access"); } throw new AccessDeniedException( messages.getMessage("BasicAclEntryAfterInvocationProvider.noPermission", new Object[] { authentication.getName(), returnedObject }, "Authentication {0} has NO permissions to the domain object {1}")); } } } return returnedObject; } public void setMessageSource(MessageSource messageSource) { this.messages = new MessageSourceAccessor(messageSource); } }