01: package sample.dms.secured;
02:
03: import javax.sql.DataSource;
04:
05: import org.acegisecurity.acls.MutableAcl;
06: import org.acegisecurity.acls.MutableAclService;
07: import org.acegisecurity.acls.NotFoundException;
08: import org.acegisecurity.acls.Permission;
09: import org.acegisecurity.acls.domain.BasePermission;
10: import org.acegisecurity.acls.objectidentity.ObjectIdentity;
11: import org.acegisecurity.acls.objectidentity.ObjectIdentityImpl;
12: import org.acegisecurity.acls.sid.GrantedAuthoritySid;
13: import org.acegisecurity.acls.sid.PrincipalSid;
14: import org.acegisecurity.acls.sid.Sid;
15: import org.acegisecurity.context.SecurityContextHolder;
16: import org.springframework.transaction.PlatformTransactionManager;
17: import org.springframework.util.Assert;
18:
19: import sample.dms.AbstractElement;
20: import sample.dms.DataSourcePopulator;
21: import sample.dms.DocumentDao;
22:
23: public class SecureDataSourcePopulator extends DataSourcePopulator {
24:
25: private MutableAclService aclService;
26:
27: public SecureDataSourcePopulator(DataSource dataSource,
28: SecureDocumentDao documentDao,
29: PlatformTransactionManager platformTransactionManager,
30: MutableAclService aclService) {
31: super (dataSource, documentDao, platformTransactionManager);
32: Assert.notNull(aclService, "MutableAclService required");
33: this .aclService = aclService;
34: }
35:
36: protected void addPermission(DocumentDao documentDao,
37: AbstractElement element, String recipient, int level) {
38: Assert.notNull(documentDao, "DocumentDao required");
39: Assert.isInstanceOf(SecureDocumentDao.class, documentDao,
40: "DocumentDao should have been a SecureDocumentDao");
41: Assert.notNull(element, "Element required");
42: Assert.hasText(recipient, "Recipient required");
43: Assert.notNull(SecurityContextHolder.getContext()
44: .getAuthentication(),
45: "SecurityContextHolder must contain an Authentication");
46:
47: // We need SecureDocumentDao to assign different permissions
48: SecureDocumentDao dao = (SecureDocumentDao) documentDao;
49:
50: // We need to construct an ACL-specific Sid. Note the prefix contract is defined on the superclass method's JavaDocs
51: Sid sid = null;
52: if (recipient.startsWith("ROLE_")) {
53: sid = new GrantedAuthoritySid(recipient);
54: } else {
55: sid = new PrincipalSid(recipient);
56: }
57:
58: // We need to identify the target domain object and create an ObjectIdentity for it
59: // This works because AbstractElement has a "getId()" method
60: ObjectIdentity identity = new ObjectIdentityImpl(element);
61: // ObjectIdentity identity = new ObjectIdentityImpl(element.getClass(), element.getId()); // equivalent
62:
63: // Next we need to create a Permission
64: Permission permission = null;
65: if (level == LEVEL_NEGATE_READ || level == LEVEL_GRANT_READ) {
66: permission = BasePermission.READ;
67: } else if (level == LEVEL_GRANT_WRITE) {
68: permission = BasePermission.WRITE;
69: } else if (level == LEVEL_GRANT_ADMIN) {
70: permission = BasePermission.ADMINISTRATION;
71: } else {
72: throw new IllegalArgumentException("Unsupported LEVEL_");
73: }
74:
75: // Attempt to retrieve the existing ACL, creating an ACL if it doesn't already exist for this ObjectIdentity
76: MutableAcl acl = null;
77: try {
78: acl = (MutableAcl) aclService.readAclById(identity);
79: } catch (NotFoundException nfe) {
80: acl = aclService.createAcl(identity);
81: Assert
82: .notNull(acl,
83: "Acl could not be retrieved or created");
84: }
85:
86: // Now we have an ACL, add another ACE to it
87: if (level == LEVEL_NEGATE_READ) {
88: acl.insertAce(null, permission, sid, false); // not granting
89: } else {
90: acl.insertAce(null, permission, sid, true); // granting
91: }
92:
93: // Finally, persist the modified ACL
94: aclService.updateAcl(acl);
95: }
96:
97: }
|