Revision e24797e9
Added by Andreas Kohlbecker over 11 years ago
cdmlib-persistence/src/main/java/eu/etaxonomy/cdm/persistence/hibernate/permission/voter/CdmPermissionVoter.java | ||
---|---|---|
9 | 9 |
*/ |
10 | 10 |
package eu.etaxonomy.cdm.persistence.hibernate.permission.voter; |
11 | 11 |
|
12 |
import java.util.Collection; |
|
13 |
|
|
14 |
import org.apache.log4j.Logger; |
|
12 | 15 |
import org.springframework.security.access.AccessDecisionVoter; |
13 | 16 |
import org.springframework.security.access.ConfigAttribute; |
17 |
import org.springframework.security.core.Authentication; |
|
18 |
import org.springframework.security.core.GrantedAuthority; |
|
14 | 19 |
|
15 | 20 |
import eu.etaxonomy.cdm.model.common.CdmBase; |
16 | 21 |
import eu.etaxonomy.cdm.persistence.hibernate.permission.AuthorityPermission; |
22 |
import eu.etaxonomy.cdm.persistence.hibernate.permission.CdmPermission; |
|
23 |
import eu.etaxonomy.cdm.persistence.hibernate.permission.CdmPermissionClass; |
|
17 | 24 |
|
18 | 25 |
/** |
19 | 26 |
* The <code>CdmPermissionVoter</code> provides access control votes for {@link CdmBase} objects. |
... | ... | |
24 | 31 |
*/ |
25 | 32 |
public abstract class CdmPermissionVoter implements AccessDecisionVoter { |
26 | 33 |
|
34 |
public static final Logger logger = Logger.getLogger(CdmPermissionVoter.class); |
|
27 | 35 |
|
28 | 36 |
/* (non-Javadoc) |
29 | 37 |
* @see org.springframework.security.access.AccessDecisionVoter#supports(org.springframework.security.access.ConfigAttribute) |
... | ... | |
39 | 47 |
*/ |
40 | 48 |
@Override |
41 | 49 |
public boolean supports(Class<?> clazz) { |
42 |
// all CdmPermissionVoters must support CdmBase.class |
|
50 |
/* NOTE!!! |
|
51 |
* Do not change this, all CdmPermissionVoters must support CdmBase.class |
|
52 |
*/ |
|
43 | 53 |
return clazz.isInstance(CdmBase.class); |
44 | 54 |
} |
45 | 55 |
|
56 |
|
|
57 |
/** |
|
58 |
* Sets the Cdm type, or super type this Voter is responsible for. |
|
59 |
*/ |
|
60 |
abstract public Class<? extends CdmBase> getResponsibilityClass(); |
|
61 |
|
|
62 |
|
|
63 |
protected boolean isResponsibleFor(Object securedObject) { |
|
64 |
return getResponsibilityClass().isAssignableFrom(securedObject.getClass()); |
|
65 |
} |
|
66 |
|
|
67 |
protected boolean isResponsibleFor(CdmPermissionClass permissionClass) { |
|
68 |
return getResponsibility().equals(permissionClass); |
|
69 |
} |
|
70 |
|
|
71 |
/** |
|
72 |
* Get the according CdmPermissionClass matching {@link #getResponsibilityClass()} the cdm class this voter is responsible for. |
|
73 |
* @return |
|
74 |
*/ |
|
75 |
protected CdmPermissionClass getResponsibility() { |
|
76 |
return CdmPermissionClass.getValueOf(getResponsibilityClass()); |
|
77 |
} |
|
78 |
|
|
79 |
/* (non-Javadoc) |
|
80 |
* @see org.springframework.security.access.AccessDecisionVoter#vote(org.springframework.security.core.Authentication, java.lang.Object, java.util.Collection) |
|
81 |
*/ |
|
82 |
@Override |
|
83 |
public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) { |
|
84 |
|
|
85 |
if(!isResponsibleFor(object)){ |
|
86 |
logger.debug("class missmatch => ACCESS_ABSTAIN"); |
|
87 |
return ACCESS_ABSTAIN; |
|
88 |
} |
|
89 |
|
|
90 |
if (logger.isDebugEnabled()){ |
|
91 |
logger.debug("authentication: " + authentication.getName() + ", object : " + object.toString() + ", attribute[0]:" + ((AuthorityPermission)attributes.iterator().next()).getAttribute()); |
|
92 |
} |
|
93 |
|
|
94 |
// loop over all attributes = permissions of which at least one must match |
|
95 |
// usually there is only one element in the collection! |
|
96 |
for(ConfigAttribute attribute : attributes){ |
|
97 |
if(!(attribute instanceof AuthorityPermission)){ |
|
98 |
throw new RuntimeException("attributes must contain only AuthorityPermission"); |
|
99 |
} |
|
100 |
AuthorityPermission evalPermission = (AuthorityPermission)attribute; |
|
101 |
|
|
102 |
for (GrantedAuthority authority: authentication.getAuthorities()){ |
|
103 |
AuthorityPermission authorityPermission= new AuthorityPermission(authority.getAuthority()); |
|
104 |
|
|
105 |
// check if the voter is responsible for the permission to be evaluated |
|
106 |
if(!evalPermission.getClassName().equals(getResponsibility())){ |
|
107 |
logger.debug("not responsible for " + evalPermission.getClassName() + " -> skipping"); |
|
108 |
continue; |
|
109 |
} |
|
110 |
|
|
111 |
// CdmPermissionVoter impliedVoter = findImpliedVoter(authorityPermission.getClassName()); |
|
112 |
// if(impliedVoter != null){ |
|
113 |
// Set<CdmBase> targetObjects = findTargetObjectsForVoter(impliedVoter, (CdmBase) object); |
|
114 |
// } |
|
115 |
ValidationResult validationResult = new ValidationResult(); |
|
116 |
|
|
117 |
boolean isALL = authorityPermission.getClassName().equals(CdmPermissionClass.ALL); |
|
118 |
validationResult.isClassMatch = isALL || authorityPermission.getClassName().equals(evalPermission.getClassName()); |
|
119 |
|
|
120 |
boolean isADMIN = authorityPermission.getPermission().equals(CdmPermission.ADMIN); |
|
121 |
validationResult.isPermissionMatch = isADMIN || authorityPermission.getPermission().equals(evalPermission.getPermission()); |
|
122 |
|
|
123 |
validationResult.hasTargetUuid = authorityPermission.getTargetUUID() != null; |
|
124 |
validationResult.isUuidMatch = validationResult.hasTargetUuid && authorityPermission.getTargetUUID().equals(((CdmBase)object).getUuid()); |
|
125 |
|
|
126 |
if ( !validationResult.hasTargetUuid && validationResult.isClassMatch && validationResult.isPermissionMatch){ |
|
127 |
logger.debug("no tragetUuid, class & permission match => ACCESS_GRANTED"); |
|
128 |
return ACCESS_GRANTED; |
|
129 |
} |
|
130 |
if ( validationResult.isUuidMatch && validationResult.isClassMatch && validationResult.isPermissionMatch){ |
|
131 |
logger.debug("permission, class and uuid are matching => ACCESS_GRANTED"); |
|
132 |
return ACCESS_GRANTED; |
|
133 |
} |
|
134 |
|
|
135 |
// ask subclasses for further voting decisions |
|
136 |
Integer furtherVotingResult = furtherVotingDescisions(authorityPermission, object, attributes, validationResult); |
|
137 |
if(furtherVotingResult != null){ |
|
138 |
return furtherVotingResult; |
|
139 |
} |
|
140 |
|
|
141 |
} // END Authorities loop |
|
142 |
} // END attributes loop |
|
143 |
|
|
144 |
logger.debug("ACCESS_DENIED"); |
|
145 |
return ACCESS_DENIED; |
|
146 |
} |
|
147 |
|
|
148 |
/** |
|
149 |
* Override this method to implement specific decisions. |
|
150 |
* |
|
151 |
* @param authorityPermission |
|
152 |
* @param object |
|
153 |
* @param attributes |
|
154 |
* @param validationResult |
|
155 |
* @return |
|
156 |
*/ |
|
157 |
protected Integer furtherVotingDescisions(AuthorityPermission authorityPermission, Object object, Collection<ConfigAttribute> attributes, |
|
158 |
ValidationResult validationResult) { |
|
159 |
return null; |
|
160 |
} |
|
161 |
|
|
162 |
protected class ValidationResult { |
|
163 |
boolean isPermissionMatch = false; |
|
164 |
boolean isUuidMatch = false; |
|
165 |
boolean isClassMatch = false; |
|
166 |
boolean hasTargetUuid = false; |
|
167 |
} |
|
168 |
|
|
169 |
/* ===================== implicitPermission a nd voters disabled ================ */ |
|
170 |
/*implicitPermission |
|
171 |
protected Set<CdmPermissionVoter> implicitPermissionClasses = new HashSet<CdmPermissionVoter>(); |
|
172 |
*/ |
|
173 |
/** |
|
174 |
* see {@link #setImplicitPermissionClasses(Set)} |
|
175 |
* |
|
176 |
* @return |
|
177 |
public Set<CdmPermissionVoter> getImplicitPermissionClasses() { |
|
178 |
return implicitPermissionClasses; |
|
179 |
} |
|
180 |
*/ |
|
181 |
|
|
182 |
/** |
|
183 |
* If the {@link GrantedAuthority} of an authentication contains {@link CdmPermission}s with |
|
184 |
* at least one of the CdmPermissionClass in {@link #implicitPermissionClasses}, this means that |
|
185 |
* this CdmPermission is treated as if it was a permission for the class this voter is responsible |
|
186 |
* for (see {@link #responsibilityClass}). |
|
187 |
* <p> |
|
188 |
* <h4>Schematic example<h4> |
|
189 |
* <ol> |
|
190 |
* <li>required CdmPermission: TAXON.UPDATE => requited CdmPermission class is TAXON</li> |
|
191 |
* <li>implicitPermissionClasses: {TAXONNODE}</li> |
|
192 |
* <li>user has CdmPermission: TAXONNODE.UPDATE</li> |
|
193 |
* <li>=> thus user also has implied permission TAXON.UPDATE</li> |
|
194 |
* </ol> |
|
195 |
* |
|
196 |
* |
|
197 |
* @param implicitPermissionClasses |
|
198 |
public void setImplicitPermissionClasses(Set<CdmPermissionVoter> implicitPermissionClasses) { |
|
199 |
this.implicitPermissionClasses = implicitPermissionClasses; |
|
200 |
} |
|
201 |
*/ |
|
202 |
|
|
203 |
/* |
|
204 |
protected CdmPermissionVoter findImpliedVoter(CdmPermissionClass assigned) { |
|
205 |
for(CdmPermissionVoter impliedVoter : implicitPermissionClasses){ |
|
206 |
if(impliedVoter.isResponsibleFor(assigned)){ |
|
207 |
if(logger.isDebugEnabled()){ |
|
208 |
logger.debug("* implicitClassMatch of " + assigned); |
|
209 |
} |
|
210 |
return impliedVoter; |
|
211 |
} |
|
212 |
} |
|
213 |
return null; |
|
214 |
} |
|
215 |
|
|
216 |
protected Set<CdmBase> findTargetObjectsForVoter(CdmPermissionVoter impliedVoter, CdmBase object){ |
|
217 |
|
|
218 |
Set<CdmBase> targetObjects = new HashSet<CdmBase>(); |
|
219 |
if(impliedVoter.isResponsibleFor(Taxon.class)){ |
|
220 |
targetObjects.addAll(Taxon.class.cast(object).getTaxonNodes()); |
|
221 |
} else { |
|
222 |
throw new RuntimeException("Not implemented for " + impliedVoter.getClass()); |
|
223 |
} |
|
224 |
return targetObjects; |
|
225 |
} |
|
226 |
*/ |
|
227 |
|
|
228 |
|
|
229 |
|
|
46 | 230 |
} |
Also available in: Unified diff
all test SUCCESSFUL - (concept of implicitPermission and voters discarded and disabled)