001: /* Copyright 2002 The JA-SIG Collaborative. All rights reserved.
002: * See license distributed with this file and
003: * available online at http://www.uportal.org/license.html
004: */
005:
006: package org.jasig.portal.security.provider;
007:
008: import java.util.Date;
009: import java.util.Iterator;
010:
011: import org.jasig.portal.AuthorizationException;
012: import org.jasig.portal.groups.GroupsException;
013: import org.jasig.portal.groups.IGroupMember;
014: import org.jasig.portal.security.IAuthorizationPrincipal;
015: import org.jasig.portal.security.IAuthorizationService;
016: import org.jasig.portal.security.IPermission;
017: import org.jasig.portal.security.IPermissionPolicy;
018:
019: /**
020: * Implements a strategy for answering the basic authorization question: does the
021: * <code>principal</code> have permission to perform the <code>activity</code> on
022: * the <code>target</code>.
023: *
024: * @author Dan Ellentuck (de3@columbia.edu)
025: * @version $Revision: 35418 $
026: */
027: public class DefaultPermissionPolicy implements IPermissionPolicy {
028: /**
029: * DefaultPermissionPolicy constructor.
030: */
031: public DefaultPermissionPolicy() {
032: super ();
033: }
034:
035: /**
036: * Answers if the owner has authorized the principal to perform the activity
037: * on the target, based on permissions provided by the service. Params
038: * <code>service</code>, <code>owner</code> and <code>activity</code> must
039: * be non-null.
040: *
041: * @return boolean
042: * @param service org.jasig.portal.security.IAuthorizationService
043: * @param principal org.jasig.portal.security.IAuthorizationPrincipal
044: * @param owner java.lang.String
045: * @param activity java.lang.String
046: * @param target java.lang.String
047: * @exception org.jasig.portal.AuthorizationException
048: */
049: public boolean doesPrincipalHavePermission(
050: IAuthorizationService service,
051: IAuthorizationPrincipal principal, String owner,
052: String activity, String target)
053: throws org.jasig.portal.AuthorizationException {
054: IPermission[] perms = service.getPermissionsForPrincipal(
055: principal, owner, activity, target);
056:
057: // We found a permission associated with this principal.
058: if (perms.length == 1) {
059: return permissionIsGranted(perms[0]);
060: }
061:
062: // Should never be.
063: if (perms.length > 1) {
064: throw new AuthorizationException(
065: "Duplicate permissions for: " + perms[0]);
066: }
067:
068: // No permissions for this principal. Check inherited permissions.
069: boolean hasPermission = false;
070: try {
071: Iterator i = service.getGroupMember(principal)
072: .getAllContainingGroups();
073: while (i.hasNext() && !hasPermission) {
074: IAuthorizationPrincipal prn = service
075: .newPrincipal((IGroupMember) i.next());
076: hasPermission = primDoesPrincipalHavePermission(prn,
077: owner, activity, target, service);
078: }
079: } catch (GroupsException ge) {
080: throw new AuthorizationException(ge);
081: }
082:
083: return hasPermission;
084: }
085:
086: /**
087: * Checks that the permission is explicitly granted and not expired.
088: * @return boolean
089: * @param p org.jasig.portal.security.IPermission
090: */
091: private boolean permissionIsGranted(IPermission p) {
092: Date now = new Date();
093: return (p.getType().equals(IPermission.PERMISSION_TYPE_GRANT))
094: && (p.getEffective() == null || !p.getEffective()
095: .after(now))
096: && (p.getExpires() == null || p.getExpires().after(now));
097: }
098:
099: /**
100: * Answers if this specific principal (as opposed to its parents) has the permission.
101: * @return boolean
102: * @param principal IAuthorizationPrincipal
103: * @param owner java.lang.String
104: * @param activity java.lang.String
105: * @param target java.lang.String
106: * @exception AuthorizationException indicates authorization information could not
107: * be retrieved or was invalid.
108: */
109: private boolean primDoesPrincipalHavePermission(
110: IAuthorizationPrincipal principal, String owner,
111: String activity, String target,
112: IAuthorizationService service)
113: throws AuthorizationException {
114: IPermission[] perms = service.getPermissionsForPrincipal(
115: principal, owner, activity, target);
116:
117: if (perms.length == 0) {
118: return false;
119: }
120:
121: if (perms.length == 1) {
122: return permissionIsGranted(perms[0]);
123: } else {
124: throw new AuthorizationException(
125: "Duplicate permissions for: " + perms[0]);
126: }
127: }
128: }
|