Java tutorial
/* * eXist Open Source Native XML Database * Copyright (C) 2001-2011 The eXist-db Project * http://exist-db.org * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public License * as published by the Free Software Foundation; either version 2 * of the License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * $Id$ */ package org.exist.security; import org.aspectj.lang.JoinPoint; import org.aspectj.lang.annotation.Aspect; import org.aspectj.lang.annotation.Before; import org.aspectj.lang.annotation.Pointcut; import org.aspectj.lang.reflect.MethodSignature; import static org.exist.security.PermissionRequired.UNDEFINED; import static org.exist.security.PermissionRequired.IS_DBA; import static org.exist.security.PermissionRequired.IS_OWNER; import static org.exist.security.PermissionRequired.IS_MEMBER; import static org.exist.security.PermissionRequired.ACL_WRITE; import static org.exist.security.PermissionRequired.IS_SET_GID; /** * @author Adam Retter <adam@exist-db.org> */ @Aspect public class PermissionRequiredAspect { @Pointcut("execution(* *(@org.exist.security.PermissionRequired (*),..)) && args(o,..) && this(permission)") public void methodParameterWithPermissionRequired(Permission permission, Object o) { } @Before("methodParameterWithPermissionRequired(permission, o)") public void enforcePermissionsOnParameter(JoinPoint joinPoint, Permission permission, Object o) throws PermissionDeniedException { //the next two lines can be replaced when this aspectj bug is closed - https://bugs.eclipse.org/bugs/show_bug.cgi?id=259416 final MethodSignature ms = (MethodSignature) joinPoint.getSignature(); final PermissionRequired parameterPermissionRequired = (PermissionRequired) ms.getMethod() .getParameterAnnotations()[0][0]; //1) check if we should allow DBA access if (((parameterPermissionRequired.user() & IS_DBA) == IS_DBA) && permission.isCurrentSubjectDBA()) { return; } //2) check if the user is in the target group if ((parameterPermissionRequired.user() & IS_MEMBER) == IS_MEMBER) { final Integer groupId = (Integer) o; if (permission.isCurrentSubjectInGroup(groupId)) { return; } } //3) check if we are looking for setGID if ((parameterPermissionRequired.mode() & IS_SET_GID) == IS_SET_GID) { final Permission other = (Permission) o; if (other.isSetGid()) { return; } } throw new PermissionDeniedException("You must be a member of the group you are changing the item to"); } @Pointcut("execution(@org.exist.security.PermissionRequired * *(..)) && this(permission) && @annotation(permissionRequired)") public void methodWithPermissionRequired(Permission permission, PermissionRequired permissionRequired) { } @Before("methodWithPermissionRequired(permission, permissionRequired)") public void enforcePermissions(JoinPoint joinPoint, Permission permission, PermissionRequired permissionRequired) throws PermissionDeniedException { //1) check if we should allow DBA access if (((permissionRequired.user() & IS_DBA) == IS_DBA) && permission.isCurrentSubjectDBA()) { return; } //2) check for owner access if ((permissionRequired.user() & IS_OWNER) == IS_OWNER && permission.isCurrentSubjectOwner()) { if (permissionRequired.group() == UNDEFINED) { return; } else { //check for group memebership if (permissionRequired.group() == IS_MEMBER && permission.isCurrentSubjectInGroup()) { return; } } } //3) check for group access if (permissionRequired.user() == UNDEFINED && permissionRequired.group() != UNDEFINED) { if (permissionRequired.group() == IS_MEMBER && permission.isCurrentSubjectInGroup()) { return; } } //4) check for acl mode access if (permission instanceof ACLPermission && permissionRequired.mode() != UNDEFINED) { if ((permissionRequired.mode() & ACL_WRITE) == ACL_WRITE && ((ACLPermission) permission).isCurrentSubjectCanWriteACL()) { return; } } throw new PermissionDeniedException( "You do not have appropriate access rights to modify permissions on this object"); } //TODO change Pointcut so that @annotation values are directly bound. see - https://bugs.eclipse.org/bugs/show_bug.cgi?id=347684 /* @Pointcut("execution(@org.exist.security.PermissionRequired * *(..)) && this(permission) && @annotation(org.exist.security.PermissionRequired(mode,user,group))") public void methodWithPermissionRequired(Permission permission, int mode, int user, int group) { } @Before("methodWithPermissionRequired(permission, mode, user, group)") public void enforcePermissions(JoinPoint joinPoint, Permission permission, int mode, int user, int group) { System.out.println("POINTCUT"); }*/ }