Revision 8e12467b
Added by Andreas Kohlbecker about 6 years ago
| cdmlib-persistence/src/main/java/eu/etaxonomy/cdm/persistence/hibernate/permission/voter/CdmPermissionVoter.java | ||
|---|---|---|
| 78 | 78 |
public int vote(Authentication authentication, CdmBase cdmBase, Collection<ConfigAttribute> attributes) {
|
| 79 | 79 |
|
| 80 | 80 |
if(!isResponsibleFor(cdmBase)){
|
| 81 |
logger.debug("class missmatch => ACCESS_ABSTAIN");
|
|
| 81 |
logger.debug(voterLoggingLabel() + " class missmatch => ACCESS_ABSTAIN");
|
|
| 82 | 82 |
return ACCESS_ABSTAIN; |
| 83 | 83 |
} |
| 84 | 84 |
|
| 85 | 85 |
if (logger.isDebugEnabled()){
|
| 86 |
logger.debug("authentication: " + authentication.getName() + ", object : " + cdmBase.toString() + ", attribute[0]:" + ((CdmAuthority)attributes.iterator().next()).getAttribute());
|
|
| 86 |
logger.debug(voterLoggingLabel() + " voting for authentication: " + authentication.getName() + ", object : " + cdmBase.toString() + ", attribute[0]:" + ((CdmAuthority)attributes.iterator().next()).getAttribute());
|
|
| 87 | 87 |
} |
| 88 | 88 |
|
| 89 | 89 |
int fallThroughVote = ACCESS_DENIED; |
| ... | ... | |
| 103 | 103 |
try {
|
| 104 | 104 |
auth = CdmAuthority.fromGrantedAuthority(authority); |
| 105 | 105 |
} catch (CdmAuthorityParsingException e) {
|
| 106 |
logger.debug("skipping " + authority.getAuthority() + " due to CdmAuthorityParsingException");
|
|
| 106 |
logger.debug(voterLoggingLabel() + " skipping " + authority.getAuthority() + " due to CdmAuthorityParsingException");
|
|
| 107 | 107 |
continue; |
| 108 | 108 |
} |
| 109 | 109 |
|
| 110 | 110 |
// check if the voter is responsible for the permission to be evaluated |
| 111 | 111 |
if( ! isResponsibleFor(evalPermission.getPermissionClass())){
|
| 112 |
logger.debug(getResponsibility() + " not responsible for " + evalPermission.getPermissionClass() + " -> skipping");
|
|
| 112 |
logger.debug(voterLoggingLabel() + " not responsible for " + evalPermission.getPermissionClass() + " -> skipping");
|
|
| 113 | 113 |
continue; |
| 114 | 114 |
} |
| 115 | 115 |
|
| ... | ... | |
| 122 | 122 |
vr.isUuidMatch = auth.hasTargetUuid() && auth.getTargetUUID().equals(cdmBase.getUuid()); |
| 123 | 123 |
vr.isIgnoreUuidMatch = !auth.hasTargetUuid(); |
| 124 | 124 |
|
| 125 |
if(logger.isDebugEnabled()){
|
|
| 126 |
logger.debug(voterLoggingLabel() + " " + vr); |
|
| 127 |
} |
|
| 128 |
|
|
| 125 | 129 |
// first of all, always allow deleting orphan entities |
| 126 | 130 |
if(vr.isClassMatch && evalPermission.getOperation().equals(DELETE) && isOrpahn(cdmBase)) {
|
| 131 |
if(logger.isDebugEnabled()){
|
|
| 132 |
logger.debug(voterLoggingLabel() +" entity is considered orphan => ACCESS_GRANTED"); |
|
| 133 |
} |
|
| 127 | 134 |
return ACCESS_GRANTED; |
| 128 | 135 |
} |
| 129 | 136 |
|
| 130 | 137 |
if(!auth.hasProperty()){
|
| 131 | 138 |
if ( vr.isIgnoreUuidMatch && vr.isClassMatch && vr.isPermissionMatch){
|
| 132 |
logger.debug("no targetUuid, class & permission match => ACCESS_GRANTED");
|
|
| 139 |
if(logger.isDebugEnabled()){
|
|
| 140 |
logger.debug(voterLoggingLabel() +" no targetUuid, class & permission match => ACCESS_GRANTED"); |
|
| 141 |
} |
|
| 133 | 142 |
return ACCESS_GRANTED; |
| 134 | 143 |
} |
| 135 | 144 |
if ( vr.isUuidMatch && vr.isClassMatch && vr.isPermissionMatch ){
|
| 136 |
logger.debug("permission, class and uuid are matching => ACCESS_GRANTED");
|
|
| 145 |
if(logger.isDebugEnabled()){
|
|
| 146 |
logger.debug(voterLoggingLabel() +" permission, class and uuid are matching => ACCESS_GRANTED"); |
|
| 147 |
} |
|
| 137 | 148 |
return ACCESS_GRANTED; |
| 138 | 149 |
} |
| 139 | 150 |
} else {
|
| ... | ... | |
| 154 | 165 |
// |
| 155 | 166 |
Integer furtherVotingResult = furtherVotingDescisions(auth, cdmBase, attributes, vr); |
| 156 | 167 |
if(furtherVotingResult != null){
|
| 157 |
logger.debug("furtherVotingResult => " + furtherVotingResult);
|
|
| 168 |
if(logger.isDebugEnabled()){
|
|
| 169 |
logger.debug(voterLoggingLabel() + " furtherVotingResult => " + voteToString(furtherVotingResult)); |
|
| 170 |
} |
|
| 158 | 171 |
switch(furtherVotingResult){
|
| 159 | 172 |
case ACCESS_GRANTED: |
| 160 | 173 |
// no further check needed |
| ... | ... | |
| 173 | 186 |
} // END Authorities loop |
| 174 | 187 |
} // END attributes loop |
| 175 | 188 |
|
| 189 |
int votingResult = deniedByPreviousFurtherVoting ? ACCESS_DENIED : fallThroughVote; |
|
| 176 | 190 |
// the value of fallThroughVote depends on whether the authority had an property or not, see above |
| 177 |
logger.debug("fallThroughVote => " + fallThroughVote);
|
|
| 178 |
return deniedByPreviousFurtherVoting ? ACCESS_DENIED : fallThroughVote; |
|
| 191 |
if(logger.isDebugEnabled()){
|
|
| 192 |
logger.debug(voterLoggingLabel() + " fallThroughVote => " + voteToString(fallThroughVote)); |
|
| 193 |
logger.debug(voterLoggingLabel() + " ##votingResult## => " + voteToString(votingResult)); |
|
| 194 |
} |
|
| 195 |
return votingResult; |
|
| 179 | 196 |
} |
| 180 | 197 |
|
| 181 | 198 |
/** |
| ... | ... | |
| 209 | 226 |
return null; |
| 210 | 227 |
} |
| 211 | 228 |
|
| 229 |
/** |
|
| 230 |
* returns a label for the logging output |
|
| 231 |
* @return |
|
| 232 |
*/ |
|
| 233 |
protected String voterLoggingLabel(){
|
|
| 234 |
return "(" + getResponsibilityClass().getSimpleName() + "-Voter)";
|
|
| 235 |
} |
|
| 236 |
|
|
| 237 |
/** |
|
| 238 |
* |
|
| 239 |
* @param vote |
|
| 240 |
* @return string representations for the votes defined in {@link AccessDecisionVoter}
|
|
| 241 |
*/ |
|
| 242 |
protected String voteToString(int vote) {
|
|
| 243 |
switch (vote){
|
|
| 244 |
case 1: return "ACCESS_GRANTED"; |
|
| 245 |
case 0: return "ACCESS_ABSTAIN"; |
|
| 246 |
case -1: return "ACCESS_DENIED"; |
|
| 247 |
default: return Integer.toString(vote); |
|
| 248 |
} |
|
| 249 |
} |
|
| 250 |
|
|
| 251 |
|
|
| 212 | 252 |
/** |
| 213 | 253 |
* Holds various flags with validation results. |
| 214 | 254 |
* Is used to pass this information from |
| ... | ... | |
| 231 | 271 |
boolean isPropertyMatch = false; |
| 232 | 272 |
boolean isUuidMatch = false; |
| 233 | 273 |
boolean isClassMatch = false; |
| 274 |
|
|
| 275 |
@Override |
|
| 276 |
public String toString(){
|
|
| 277 |
return "isClassMatch: " + Boolean.toString(isClassMatch) + ", " |
|
| 278 |
+ "isUuidMatch: " + Boolean.toString(isUuidMatch) + ", " |
|
| 279 |
+ "isPermissionMatch: " + Boolean.toString(isPermissionMatch) + ", " |
|
| 280 |
+ "isPropertyMatch: " + Boolean.toString(isPropertyMatch); |
|
| 281 |
|
|
| 282 |
} |
|
| 234 | 283 |
} |
| 235 | 284 |
|
| 236 | 285 |
} |
Also available in: Unified diff
better logging of voting in CdmPermissionVoter