Coverage Report

Coverage Report - org.acegisecurity.intercept.method.MethodInvocationPrivilegeEvaluator

Classes in this File

80%

 /* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
 package org.acegisecurity.intercept.method;
 
 import org.acegisecurity.AccessDeniedException;
 import org.acegisecurity.Authentication;
 import org.acegisecurity.ConfigAttributeDefinition;
 
 import org.acegisecurity.intercept.AbstractSecurityInterceptor;
 
 import org.aopalliance.intercept.MethodInvocation;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
 import org.springframework.beans.factory.InitializingBean;
 
 import org.springframework.util.Assert;
 
 
 /**
  * Allows users to determine whether they have "before invocation" privileges for a given method invocation.<p>Of
  * course, if an {@link org.acegisecurity.AfterInvocationManager} is used to authorize the <em>result</em> of a method
  * invocation, this class cannot assist determine whether or not the <code>AfterInvocationManager</code> will enable
  * access. Instead this class aims to allow applications to determine whether or not the current principal would be
  * allowed to at least attempt to invoke the method, irrespective of the "after" invocation handling.</p>
  *
  * @author Ben Alex
  * @version $Id: MethodInvocationPrivilegeEvaluator.java 1496 2006-05-23 13:38:33Z benalex $
  */
 public class MethodInvocationPrivilegeEvaluator implements InitializingBean {
     //~ Static fields/initializers =====================================================================================
 
     protected static final Log logger = LogFactory.getLog(MethodInvocationPrivilegeEvaluator.class);
 
     //~ Instance fields ================================================================================================
 
     private AbstractSecurityInterceptor securityInterceptor;
 
     //~ Methods ========================================================================================================
 
     public void afterPropertiesSet() throws Exception {
         Assert.notNull(securityInterceptor, "SecurityInterceptor required");
     }
 
     public boolean isAllowed(MethodInvocation mi, Authentication authentication) {
         Assert.notNull(mi, "MethodInvocation required");
         Assert.notNull(mi.getMethod(), "MethodInvocation must provide a non-null getMethod()");
 
         ConfigAttributeDefinition attrs = securityInterceptor.obtainObjectDefinitionSource().getAttributes(mi);
 
         if (attrs == null) {
             if (securityInterceptor.isRejectPublicInvocations()) {
                 return false;
             }
 
             return true;
         }
 
         if ((authentication == null) || (authentication.getAuthorities() == null)
             || (authentication.getAuthorities().length == 0)) {
             return false;
         }
 
         try {
             securityInterceptor.getAccessDecisionManager().decide(authentication, mi, attrs);
         } catch (AccessDeniedException unauthorized) {
             if (logger.isDebugEnabled()) {
                 logger.debug(mi.toString() + " denied for " + authentication.toString(), unauthorized);
             }
 
             return false;
         }
 
         return true;
     }
 
     public void setSecurityInterceptor(AbstractSecurityInterceptor securityInterceptor) {
         Assert.notNull(securityInterceptor, "AbstractSecurityInterceptor cannot be null");
         Assert.isTrue(MethodInvocation.class.equals(securityInterceptor.getSecureObjectClass()),
             "AbstractSecurityInterceptor does not support MethodInvocations");
         Assert.notNull(securityInterceptor.getAccessDecisionManager(),
             "AbstractSecurityInterceptor must provide a non-null AccessDecisionManager");
         this.securityInterceptor = securityInterceptor;
     }
 }

1		/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
2		*
3		* Licensed under the Apache License, Version 2.0 (the "License");
4		* you may not use this file except in compliance with the License.
5		* You may obtain a copy of the License at
6		*
7		* http://www.apache.org/licenses/LICENSE-2.0
8		*
9		* Unless required by applicable law or agreed to in writing, software
10		* distributed under the License is distributed on an "AS IS" BASIS,
11		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12		* See the License for the specific language governing permissions and
13		* limitations under the License.
14		*/
15
16		package org.acegisecurity.intercept.method;
17
18		import org.acegisecurity.AccessDeniedException;
19		import org.acegisecurity.Authentication;
20		import org.acegisecurity.ConfigAttributeDefinition;
21
22		import org.acegisecurity.intercept.AbstractSecurityInterceptor;
23
24		import org.aopalliance.intercept.MethodInvocation;
25
26		import org.apache.commons.logging.Log;
27		import org.apache.commons.logging.LogFactory;
28
29		import org.springframework.beans.factory.InitializingBean;
30
31		import org.springframework.util.Assert;
32
33
34		/**
35		* Allows users to determine whether they have "before invocation" privileges for a given method invocation.<p>Of
36		* course, if an {@link org.acegisecurity.AfterInvocationManager} is used to authorize the <em>result</em> of a method
37		* invocation, this class cannot assist determine whether or not the <code>AfterInvocationManager</code> will enable
38		* access. Instead this class aims to allow applications to determine whether or not the current principal would be
39		* allowed to at least attempt to invoke the method, irrespective of the "after" invocation handling.</p>
40		*
41		* @author Ben Alex
42		* @version $Id: MethodInvocationPrivilegeEvaluator.java 1496 2006-05-23 13:38:33Z benalex $
43		*/
44	4	public class MethodInvocationPrivilegeEvaluator implements InitializingBean {
45		//~ Static fields/initializers =====================================================================================
46
47	3	protected static final Log logger = LogFactory.getLog(MethodInvocationPrivilegeEvaluator.class);
48
49		//~ Instance fields ================================================================================================
50
51		private AbstractSecurityInterceptor securityInterceptor;
52
53		//~ Methods ========================================================================================================
54
55		public void afterPropertiesSet() throws Exception {
56	4	Assert.notNull(securityInterceptor, "SecurityInterceptor required");
57	4	}
58
59		public boolean isAllowed(MethodInvocation mi, Authentication authentication) {
60	4	Assert.notNull(mi, "MethodInvocation required");
61	4	Assert.notNull(mi.getMethod(), "MethodInvocation must provide a non-null getMethod()");
62
63	4	ConfigAttributeDefinition attrs = securityInterceptor.obtainObjectDefinitionSource().getAttributes(mi);
64
65	4	if (attrs == null) {
66	0	if (securityInterceptor.isRejectPublicInvocations()) {
67	0	return false;
68		}
69
70	0	return true;
71		}
72
73	4	if ((authentication == null) \|\| (authentication.getAuthorities() == null)
74		\|\| (authentication.getAuthorities().length == 0)) {
75	0	return false;
76		}
77
78		try {
79	4	securityInterceptor.getAccessDecisionManager().decide(authentication, mi, attrs);
80	2	} catch (AccessDeniedException unauthorized) {
81	2	if (logger.isDebugEnabled()) {
82	0	logger.debug(mi.toString() + " denied for " + authentication.toString(), unauthorized);
83		}
84
85	2	return false;
86	2	}
87
88	2	return true;
89		}
90
91		public void setSecurityInterceptor(AbstractSecurityInterceptor securityInterceptor) {
92	4	Assert.notNull(securityInterceptor, "AbstractSecurityInterceptor cannot be null");
93	4	Assert.isTrue(MethodInvocation.class.equals(securityInterceptor.getSecureObjectClass()),
94		"AbstractSecurityInterceptor does not support MethodInvocations");
95	4	Assert.notNull(securityInterceptor.getAccessDecisionManager(),
96		"AbstractSecurityInterceptor must provide a non-null AccessDecisionManager");
97	4	this.securityInterceptor = securityInterceptor;
98	4	}
99		}