|
1
|
/**
|
|
2
|
* Copyright (C) 2013 EDIT
|
|
3
|
* European Distributed Institute of Taxonomy
|
|
4
|
* http://www.e-taxonomy.eu
|
|
5
|
*
|
|
6
|
* The contents of this file are subject to the Mozilla Public License Version 1.1
|
|
7
|
* See LICENSE.TXT at the top of this package for the full license terms.
|
|
8
|
*/
|
|
9
|
package eu.etaxonomy.cdm.persistence.hibernate.permission;
|
|
10
|
|
|
11
|
import java.util.ArrayList;
|
|
12
|
import java.util.Collection;
|
|
13
|
import java.util.HashMap;
|
|
14
|
import java.util.List;
|
|
15
|
import java.util.Map;
|
|
16
|
|
|
17
|
import org.springframework.security.access.AccessDecisionVoter;
|
|
18
|
import org.springframework.security.access.AccessDeniedException;
|
|
19
|
import org.springframework.security.access.ConfigAttribute;
|
|
20
|
import org.springframework.security.access.vote.AbstractAccessDecisionManager;
|
|
21
|
import org.springframework.security.access.vote.UnanimousBased;
|
|
22
|
import org.springframework.security.core.Authentication;
|
|
23
|
|
|
24
|
import eu.etaxonomy.cdm.model.common.CdmBase;
|
|
25
|
|
|
26
|
/**
|
|
27
|
* Based on the {@link UnanimousBased} AccessDecisionManager.
|
|
28
|
*
|
|
29
|
* In contrast to the UnanimousBased a voter which voted once with
|
|
30
|
* <code>ACCESS_GRANTED</code> can not revoke this decision again.
|
|
31
|
*
|
|
32
|
* @author a.kohlbecker
|
|
33
|
\* @since Oct 11, 2013
|
|
34
|
*
|
|
35
|
*/
|
|
36
|
public class UnanimousBasedUnrevokable extends AbstractAccessDecisionManager {
|
|
37
|
|
|
38
|
// /**
|
|
39
|
// *
|
|
40
|
// * @deprecated Use constructor which takes voter list
|
|
41
|
// * This one is for String internal use only
|
|
42
|
// */
|
|
43
|
// @Deprecated
|
|
44
|
// public UnanimousBasedUnrevokable(){
|
|
45
|
//
|
|
46
|
// }
|
|
47
|
|
|
48
|
public UnanimousBasedUnrevokable(List<AccessDecisionVoter<? extends Object>> decisionVoters) {
|
|
49
|
super(decisionVoters);
|
|
50
|
}
|
|
51
|
|
|
52
|
|
|
53
|
@Override
|
|
54
|
public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> attributes)
|
|
55
|
throws AccessDeniedException {
|
|
56
|
|
|
57
|
int grant = 0;
|
|
58
|
int abstain = 0;
|
|
59
|
List<ConfigAttribute> singleAttributeList = new ArrayList<>(1);
|
|
60
|
singleAttributeList.add(null);
|
|
61
|
|
|
62
|
Map<AccessDecisionVoter<CdmBase>, Integer> voteMap = new HashMap<>();
|
|
63
|
|
|
64
|
for (ConfigAttribute attribute : attributes) {
|
|
65
|
singleAttributeList.set(0, attribute);
|
|
66
|
|
|
67
|
for(AccessDecisionVoter voter : getDecisionVoters()) {
|
|
68
|
|
|
69
|
Integer lastResult = voteMap.get(voter);
|
|
70
|
if(lastResult != null && lastResult == AccessDecisionVoter.ACCESS_GRANTED){
|
|
71
|
continue;
|
|
72
|
}
|
|
73
|
|
|
74
|
int result = voter.vote(authentication, object, singleAttributeList);
|
|
75
|
|
|
76
|
voteMap.put(voter, result);
|
|
77
|
|
|
78
|
if (logger.isDebugEnabled()) {
|
|
79
|
logger.debug("Voter: " + voter + ", returned: " + result);
|
|
80
|
}
|
|
81
|
|
|
82
|
}
|
|
83
|
}
|
|
84
|
|
|
85
|
for(Integer result : voteMap.values()) {
|
|
86
|
switch (result) {
|
|
87
|
case AccessDecisionVoter.ACCESS_GRANTED:
|
|
88
|
grant++;
|
|
89
|
|
|
90
|
break;
|
|
91
|
|
|
92
|
case AccessDecisionVoter.ACCESS_DENIED:
|
|
93
|
throw new AccessDeniedException(messages.getMessage("AbstractAccessDecisionManager.accessDenied",
|
|
94
|
"Access is denied"));
|
|
95
|
|
|
96
|
default:
|
|
97
|
abstain++;
|
|
98
|
|
|
99
|
break;
|
|
100
|
}
|
|
101
|
}
|
|
102
|
|
|
103
|
// To get this far, there were no deny votes
|
|
104
|
if (grant > 0) {
|
|
105
|
return;
|
|
106
|
}
|
|
107
|
|
|
108
|
// To get this far, every AccessDecisionVoter abstained
|
|
109
|
checkAllowIfAllAbstainDecisions();
|
|
110
|
}
|
|
111
|
|
|
112
|
}
|