AclAuthorizationStrategyImpl xref

View Javadoc

1   /* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
2    *
3    * Licensed under the Apache License, Version 2.0 (the "License");
4    * you may not use this file except in compliance with the License.
5    * You may obtain a copy of the License at
6    *
7    *     http://www.apache.org/licenses/LICENSE-2.0
8    *
9    * Unless required by applicable law or agreed to in writing, software
10   * distributed under the License is distributed on an "AS IS" BASIS,
11   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12   * See the License for the specific language governing permissions and
13   * limitations under the License.
14   */
15  
16  package org.acegisecurity.acls.domain;
17  
18  import org.acegisecurity.AccessDeniedException;
19  import org.acegisecurity.Authentication;
20  import org.acegisecurity.GrantedAuthority;
21  
22  import org.acegisecurity.acls.Acl;
23  import org.acegisecurity.acls.Permission;
24  import org.acegisecurity.acls.sid.PrincipalSid;
25  import org.acegisecurity.acls.sid.Sid;
26  import org.acegisecurity.acls.sid.SidRetrievalStrategy;
27  import org.acegisecurity.acls.sid.SidRetrievalStrategyImpl;
28  
29  import org.acegisecurity.context.SecurityContextHolder;
30  
31  import org.springframework.util.Assert;
32  
33  
34  /**
35   * Default implementation of {@link AclAuthorizationStrategy}.<p>Permission will be granted provided the current
36   * principal is either the owner (as defined by the ACL), has {@link BasePermission#ADMINISTRATION} (as defined by the
37   * ACL and via a {@link Sid} retrieved for the current principal via {@link #sidRetrievalStrategy}), or if the current
38   * principal holds the relevant system-wide {@link GrantedAuthority} and injected into the constructor.</p>
39   *
40   * @author Ben Alex
41   * @version $Id: AclAuthorizationStrategyImpl.java 1784 2007-02-24 21:00:24Z luke_t $
42   */
43  public class AclAuthorizationStrategyImpl implements AclAuthorizationStrategy {
44      //~ Instance fields ================================================================================================
45  
46      private GrantedAuthority gaGeneralChanges;
47      private GrantedAuthority gaModifyAuditing;
48      private GrantedAuthority gaTakeOwnership;
49      private SidRetrievalStrategy sidRetrievalStrategy = new SidRetrievalStrategyImpl();
50  
51      //~ Constructors ===================================================================================================
52  
53  /**
54       * Constructor. The only mandatory parameter relates to the system-wide {@link GrantedAuthority} instances that
55       * can be held to always permit ACL changes.
56       *
57       * @param auths an array of <code>GrantedAuthority</code>s that have
58       * special permissions (index 0 is the authority needed to change
59       * ownership, index 1 is the authority needed to modify auditing details,
60       * index 2 is the authority needed to change other ACL and ACE details) (required)
61       */
62      public AclAuthorizationStrategyImpl(GrantedAuthority[] auths) {
63          Assert.notEmpty(auths, "GrantedAuthority[] with three elements required");
64          Assert.isTrue(auths.length == 3, "GrantedAuthority[] with three elements required");
65          this.gaTakeOwnership = auths[0];
66          this.gaModifyAuditing = auths[1];
67          this.gaGeneralChanges = auths[2];
68      }
69  
70      //~ Methods ========================================================================================================
71  
72      public void securityCheck(Acl acl, int changeType) {
73          if ((SecurityContextHolder.getContext() == null)
74              || (SecurityContextHolder.getContext().getAuthentication() == null)
75              || !SecurityContextHolder.getContext().getAuthentication().isAuthenticated()) {
76              throw new AccessDeniedException("Authenticated principal required to operate with ACLs");
77          }
78  
79          Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
80  
81          // Check if authorized by virtue of ACL ownership
82          Sid currentUser = new PrincipalSid(authentication);
83  
84          if (currentUser.equals(acl.getOwner())
85                  && ((changeType == CHANGE_GENERAL) || (changeType == CHANGE_OWNERSHIP))) {
86              return;
87          }
88  
89          // Not authorized by ACL ownership; try via adminstrative permissions
90          GrantedAuthority requiredAuthority = null;
91  
92          if (changeType == CHANGE_AUDITING) {
93              requiredAuthority = this.gaModifyAuditing;
94          } else if (changeType == CHANGE_GENERAL) {
95              requiredAuthority = this.gaGeneralChanges;
96          } else if (changeType == CHANGE_OWNERSHIP) {
97              requiredAuthority = this.gaTakeOwnership;
98          } else {
99              throw new IllegalArgumentException("Unknown change type");
100         }
101 
102         // Iterate this principal's authorities to determine right
103         GrantedAuthority[] auths = authentication.getAuthorities();
104 
105         for (int i = 0; i < auths.length; i++) {
106             if (requiredAuthority.equals(auths[i])) {
107                 return;
108             }
109         }
110 
111         // Try to get permission via ACEs within the ACL
112         Sid[] sids = sidRetrievalStrategy.getSids(authentication);
113 
114         if (acl.isGranted(new Permission[] {BasePermission.ADMINISTRATION}, sids, false)) {
115             return;
116         }
117 
118         throw new AccessDeniedException(
119             "Principal does not have required ACL permissions to perform requested operation");
120     }
121 
122     public void setSidRetrievalStrategy(SidRetrievalStrategy sidRetrievalStrategy) {
123         Assert.notNull(sidRetrievalStrategy, "SidRetrievalStrategy required");
124         this.sidRetrievalStrategy = sidRetrievalStrategy;
125     }
126 }