001: /* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
002: *
003: * Licensed under the Apache License, Version 2.0 (the "License");
004: * you may not use this file except in compliance with the License.
005: * You may obtain a copy of the License at
006: *
007: * http://www.apache.org/licenses/LICENSE-2.0
008: *
009: * Unless required by applicable law or agreed to in writing, software
010: * distributed under the License is distributed on an "AS IS" BASIS,
011: * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
012: * See the License for the specific language governing permissions and
013: * limitations under the License.
014: */
015:
016: package org.acegisecurity.vote;
017:
018: import org.acegisecurity.Authentication;
019: import org.acegisecurity.AuthorizationServiceException;
020: import org.acegisecurity.ConfigAttribute;
021: import org.acegisecurity.ConfigAttributeDefinition;
022:
023: import org.acegisecurity.acl.AclEntry;
024: import org.acegisecurity.acl.AclManager;
025: import org.acegisecurity.acl.basic.BasicAclEntry;
026: import org.acegisecurity.acl.basic.SimpleAclEntry;
027:
028: import org.apache.commons.logging.Log;
029: import org.apache.commons.logging.LogFactory;
030:
031: import org.springframework.beans.factory.InitializingBean;
032:
033: import org.springframework.util.Assert;
034:
035: import java.lang.reflect.InvocationTargetException;
036: import java.lang.reflect.Method;
037:
038: import java.util.Iterator;
039:
040: /**
041: * <p>Given a domain object instance passed as a method argument, ensures the principal has appropriate permission
042: * as defined by the {@link AclManager}.</p>
043: * <p>The <code>AclManager</code> is used to retrieve the access control list (ACL) permissions associated with a
044: * domain object instance for the current <code>Authentication</code> object. This class is designed to process {@link
045: * AclEntry}s that are subclasses of {@link org.acegisecurity.acl.basic.BasicAclEntry} only. Generally these are
046: * obtained by using the {@link org.acegisecurity.acl.basic.BasicAclProvider}.</p>
047: * <p>The voter will vote if any {@link ConfigAttribute#getAttribute()} matches the {@link
048: * #processConfigAttribute}. The provider will then locate the first method argument of type {@link
049: * #processDomainObjectClass}. Assuming that method argument is non-null, the provider will then lookup the ACLs from
050: * the <code>AclManager</code> and ensure the principal is {@link
051: * org.acegisecurity.acl.basic.BasicAclEntry#isPermitted(int)} for at least one of the {@link #requirePermission}s.</p>
052: * <p>If the method argument is <code>null</code>, the voter will abstain from voting. If the method argument
053: * could not be found, an {@link org.acegisecurity.AuthorizationServiceException} will be thrown.</p>
054: * <p>In practical terms users will typically setup a number of <code>BasicAclEntryVoter</code>s. Each will have a
055: * different {@link #processDomainObjectClass}, {@link #processConfigAttribute} and {@link #requirePermission}
056: * combination. For example, a small application might employ the following instances of
057: * <code>BasicAclEntryVoter</code>:
058: * <ul>
059: * <li>Process domain object class <code>BankAccount</code>, configuration attribute
060: * <code>VOTE_ACL_BANK_ACCONT_READ</code>, require permission <code>SimpleAclEntry.READ</code></li>
061: * <li>Process domain object class <code>BankAccount</code>, configuration attribute
062: * <code>VOTE_ACL_BANK_ACCOUNT_WRITE</code>, require permission list <code>SimpleAclEntry.WRITE</code> and
063: * <code>SimpleAclEntry.CREATE</code> (allowing the principal to have <b>either</b> of these two permissions</li>
064: * <li>Process domain object class <code>Customer</code>, configuration attribute
065: * <code>VOTE_ACL_CUSTOMER_READ</code>, require permission <code>SimpleAclEntry.READ</code></li>
066: * <li>Process domain object class <code>Customer</code>, configuration attribute
067: * <code>VOTE_ACL_CUSTOMER_WRITE</code>, require permission list <code>SimpleAclEntry.WRITE</code> and
068: * <code>SimpleAclEntry.CREATE</code></li>
069: * </ul>
070: * Alternatively, you could have used a common superclass or interface for the {@link #processDomainObjectClass}
071: * if both <code>BankAccount</code> and <code>Customer</code> had common parents.</p>
072: * <p>If the principal does not have sufficient permissions, the voter will vote to deny access.</p>
073: * <p>The <code>AclManager</code> is allowed to return any implementations of <code>AclEntry</code> it wishes.
074: * However, this provider will only be able to validate against <code>AbstractBasicAclEntry</code>s, and thus a vote
075: * to deny access will be made if no <code>AclEntry</code> is of type <code>AbstractBasicAclEntry</code>.</p>
076: * <p>All comparisons and prefixes are case sensitive.</p>
077: *
078: * @author Ben Alex
079: * @version $Id: BasicAclEntryVoter.java 1766 2006-11-26 04:47:43Z benalex $
080: */
081: public class BasicAclEntryVoter extends AbstractAclVoter implements
082: InitializingBean {
083: //~ Static fields/initializers =====================================================================================
084:
085: private static final Log logger = LogFactory
086: .getLog(BasicAclEntryVoter.class);
087:
088: //~ Instance fields ================================================================================================
089:
090: private AclManager aclManager;
091: private String internalMethod;
092: private String processConfigAttribute;
093: private int[] requirePermission;
094:
095: //~ Methods ========================================================================================================
096:
097: public void afterPropertiesSet() throws Exception {
098: Assert.notNull(processConfigAttribute,
099: "A processConfigAttribute is mandatory");
100: Assert.notNull(aclManager, "An aclManager is mandatory");
101:
102: if ((requirePermission == null)
103: || (requirePermission.length == 0)) {
104: throw new IllegalArgumentException(
105: "One or more requirePermission entries is mandatory");
106: }
107: }
108:
109: public AclManager getAclManager() {
110: return aclManager;
111: }
112:
113: /**
114: * Optionally specifies a method of the domain object that will be used to obtain a contained domain
115: * object. That contained domain object will be used for the ACL evaluation. This is useful if a domain object
116: * contains a parent that an ACL evaluation should be targeted for, instead of the child domain object (which
117: * perhaps is being created and as such does not yet have any ACL permissions)
118: *
119: * @return <code>null</code> to use the domain object, or the name of a method (that requires no arguments) that
120: * should be invoked to obtain an <code>Object</code> which will be the domain object used for ACL
121: * evaluation
122: */
123: public String getInternalMethod() {
124: return internalMethod;
125: }
126:
127: public String getProcessConfigAttribute() {
128: return processConfigAttribute;
129: }
130:
131: public int[] getRequirePermission() {
132: return requirePermission;
133: }
134:
135: public void setAclManager(AclManager aclManager) {
136: this .aclManager = aclManager;
137: }
138:
139: public void setInternalMethod(String internalMethod) {
140: this .internalMethod = internalMethod;
141: }
142:
143: public void setProcessConfigAttribute(String processConfigAttribute) {
144: this .processConfigAttribute = processConfigAttribute;
145: }
146:
147: public void setRequirePermission(int[] requirePermission) {
148: this .requirePermission = requirePermission;
149: }
150:
151: /**
152: * Allow setting permissions with String literals instead of integers as {@link #setRequirePermission(int[])}
153: *
154: * @param requirePermission Permission literals
155: * @see SimpleAclEntry#parsePermissions(String[]) for valid values
156: */
157: public void setRequirePermissionFromString(
158: String[] requirePermission) {
159: setRequirePermission(SimpleAclEntry
160: .parsePermissions(requirePermission));
161: }
162:
163: public boolean supports(ConfigAttribute attribute) {
164: if ((attribute.getAttribute() != null)
165: && attribute.getAttribute().equals(
166: getProcessConfigAttribute())) {
167: return true;
168: } else {
169: return false;
170: }
171: }
172:
173: public int vote(Authentication authentication, Object object,
174: ConfigAttributeDefinition config) {
175: Iterator iter = config.getConfigAttributes();
176:
177: while (iter.hasNext()) {
178: ConfigAttribute attr = (ConfigAttribute) iter.next();
179:
180: if (this .supports(attr)) {
181: // Need to make an access decision on this invocation
182: // Attempt to locate the domain object instance to process
183: Object domainObject = getDomainObjectInstance(object);
184:
185: // If domain object is null, vote to abstain
186: if (domainObject == null) {
187: if (logger.isDebugEnabled()) {
188: logger
189: .debug("Voting to abstain - domainObject is null");
190: }
191:
192: return AccessDecisionVoter.ACCESS_ABSTAIN;
193: }
194:
195: // Evaluate if we are required to use an inner domain object
196: if ((internalMethod != null)
197: && !"".equals(internalMethod)) {
198: try {
199: Class clazz = domainObject.getClass();
200: Method method = clazz.getMethod(internalMethod,
201: new Class[] {});
202: domainObject = method.invoke(domainObject,
203: new Object[] {});
204: } catch (NoSuchMethodException nsme) {
205: throw new AuthorizationServiceException(
206: "Object of class '"
207: + domainObject.getClass()
208: + "' does not provide the requested internalMethod: "
209: + internalMethod);
210: } catch (IllegalAccessException iae) {
211: if (logger.isDebugEnabled()) {
212: logger.debug("IllegalAccessException", iae);
213:
214: if (iae.getCause() != null) {
215: logger.debug("Cause: "
216: + iae.getCause().getMessage(),
217: iae.getCause());
218: }
219: }
220:
221: throw new AuthorizationServiceException(
222: "Problem invoking internalMethod: "
223: + internalMethod
224: + " for object: "
225: + domainObject);
226: } catch (InvocationTargetException ite) {
227: if (logger.isDebugEnabled()) {
228: logger.debug("InvocationTargetException",
229: ite);
230:
231: if (ite.getCause() != null) {
232: logger.debug("Cause: "
233: + ite.getCause().getMessage(),
234: ite.getCause());
235: }
236: }
237:
238: throw new AuthorizationServiceException(
239: "Problem invoking internalMethod: "
240: + internalMethod
241: + " for object: "
242: + domainObject);
243: }
244: }
245:
246: // Obtain the ACLs applicable to the domain object
247: AclEntry[] acls = aclManager.getAcls(domainObject,
248: authentication);
249:
250: // If principal has no permissions for domain object, deny
251: if ((acls == null) || (acls.length == 0)) {
252: if (logger.isDebugEnabled()) {
253: logger
254: .debug("Voting to deny access - no ACLs returned for this principal");
255: }
256:
257: return AccessDecisionVoter.ACCESS_DENIED;
258: }
259:
260: // Principal has some permissions for domain object, check them
261: for (int i = 0; i < acls.length; i++) {
262: // Locate processable AclEntrys
263: if (acls[i] instanceof BasicAclEntry) {
264: BasicAclEntry processableAcl = (BasicAclEntry) acls[i];
265:
266: // See if principal has any of the required permissions
267: for (int y = 0; y < requirePermission.length; y++) {
268: if (processableAcl
269: .isPermitted(requirePermission[y])) {
270: if (logger.isDebugEnabled()) {
271: logger
272: .debug("Voting to grant access");
273: }
274:
275: return AccessDecisionVoter.ACCESS_GRANTED;
276: }
277: }
278: }
279: }
280:
281: // No permissions match
282: if (logger.isDebugEnabled()) {
283: logger
284: .debug("Voting to deny access - ACLs returned, but insufficient permissions for this principal");
285: }
286:
287: return AccessDecisionVoter.ACCESS_DENIED;
288: }
289: }
290:
291: // No configuration attribute matched, so abstain
292: return AccessDecisionVoter.ACCESS_ABSTAIN;
293: }
294: }
|