Source Code Cross Referenced for RoleVoter.java in  » Security » acegi-security » org » acegisecurity » vote » Java Source Code / Java DocumentationJava Source Code and Java Documentation

001:        /* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
002:         *
003:         * Licensed under the Apache License, Version 2.0 (the "License");
004:         * you may not use this file except in compliance with the License.
005:         * You may obtain a copy of the License at
006:         *
007:         *     http://www.apache.org/licenses/LICENSE-2.0
008:         *
009:         * Unless required by applicable law or agreed to in writing, software
010:         * distributed under the License is distributed on an "AS IS" BASIS,
011:         * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
012:         * See the License for the specific language governing permissions and
013:         * limitations under the License.
014:         */
015:
016:        package org.acegisecurity.vote;
017:
018:        import java.util.Iterator;
019:
020:        import org.acegisecurity.Authentication;
021:        import org.acegisecurity.ConfigAttribute;
022:        import org.acegisecurity.ConfigAttributeDefinition;
023:
024:        /**
025:         * <p>
026:         * Votes if any {@link ConfigAttribute#getAttribute()} starts with a prefix
027:         * indicating that it is a role. The default prefix string is <Code>ROLE_</code>,
028:         * but this may be overriden to any value. It may also be set to empty, which
029:         * means that essentially any attribute will be voted on. As described further
030:         * below, the effect of an empty prefix may not be quite desireable.
031:         * </p>
032:         * <p>
033:         * Abstains from voting if no configuration attribute commences with the role
034:         * prefix. Votes to grant access if there is an exact matching
035:         * {@link org.acegisecurity.GrantedAuthority} to a <code>ConfigAttribute</code>
036:         * starting with the role prefix. Votes to deny access if there is no exact
037:         * matching <code>GrantedAuthority</code> to a <code>ConfigAttribute</code>
038:         * starting with the role prefix.
039:         * </p>
040:         * <p>
041:         * An empty role prefix means that the voter will vote for every
042:         * ConfigAttribute. When there are different categories of ConfigAttributes
043:         * used, this will not be optimal since the voter will be voting for attributes
044:         * which do not represent roles. However, this option may be of some use when
045:         * using preexisting role names without a prefix, and no ability exists to
046:         * prefix them with a role prefix on reading them in, such as provided for
047:         * example in {@link org.acegisecurity.userdetails.jdbc.JdbcDaoImpl}.
048:         * </p>
049:         * <p>
050:         * All comparisons and prefixes are case sensitive.
051:         * </p>
052:         * 
053:         * @author Ben Alex
054:         * @author colin sampaleanu
055:         * @version $Id: RoleVoter.java 1948 2007-08-25 00:15:30Z benalex $
056:         */
057:        public class RoleVoter implements  AccessDecisionVoter {
058:            // ~ Instance fields
059:            // ================================================================================================
060:
061:            private String rolePrefix = "ROLE_";
062:
063:            // ~ Methods
064:            // ========================================================================================================
065:
066:            public String getRolePrefix() {
067:                return rolePrefix;
068:            }
069:
070:            /**
071:             * Allows the default role prefix of <code>ROLE_</code> to be overriden.
072:             * May be set to an empty value, although this is usually not desireable.
073:             * 
074:             * @param rolePrefix the new prefix
075:             */
076:            public void setRolePrefix(String rolePrefix) {
077:                this .rolePrefix = rolePrefix;
078:            }
079:
080:            public boolean supports(ConfigAttribute attribute) {
081:                if ((attribute.getAttribute() != null)
082:                        && attribute.getAttribute().startsWith(getRolePrefix())) {
083:                    return true;
084:                } else {
085:                    return false;
086:                }
087:            }
088:
089:            /**
090:             * This implementation supports any type of class, because it does not query
091:             * the presented secure object.
092:             * 
093:             * @param clazz the secure object
094:             * 
095:             * @return always <code>true</code>
096:             */
097:            public boolean supports(Class clazz) {
098:                return true;
099:            }
100:
101:            public int vote(Authentication authentication, Object object,
102:                    ConfigAttributeDefinition config) {
103:                int result = ACCESS_ABSTAIN;
104:                Iterator iter = config.getConfigAttributes();
105:
106:                while (iter.hasNext()) {
107:                    ConfigAttribute attribute = (ConfigAttribute) iter.next();
108:
109:                    if (this .supports(attribute)) {
110:                        result = ACCESS_DENIED;
111:
112:                        // Attempt to find a matching granted authority
113:                        for (int i = 0; i < authentication.getAuthorities().length; i++) {
114:                            if (attribute.getAttribute().equals(
115:                                    authentication.getAuthorities()[i]
116:                                            .getAuthority())) {
117:                                return ACCESS_GRANTED;
118:                            }
119:                        }
120:                    }
121:                }
122:
123:                return result;
124:            }
125:        }