/cdmlib-persistence/src/main/java/eu/etaxonomy/cdm/persistence/hibernate/permission/CdmPermissionEvaluator.java - Annotate - EDIT - EDIT Project Management

| Branch: | Tag: | Revision:

cdmlib/cdmlib-persistence/src/main/java/eu/etaxonomy/cdm/persistence/hibernate/permission/CdmPermissionEvaluator.java @ fa4763c1

1	7678ce2a	Andreas Müller	/**
2			* Copyright (C) 2009 EDIT
3			* European Distributed Institute of Taxonomy
4			* http://www.e-taxonomy.eu
5			*
6			* The contents of this file are subject to the Mozilla Public License Version 1.1
7			* See LICENSE.TXT at the top of this package for the full license terms.
8	4ed38662	Andreas Kohlbecker	*/
9	bce1dda8	Katja Luther	package eu.etaxonomy.cdm.persistence.hibernate.permission;
10	dd65a7ea	Katja Luther
11			import java.io.Serializable;
12	af113c74	Andreas Kohlbecker	import java.lang.reflect.Constructor;
13			import java.lang.reflect.InvocationTargetException;
14	dd65a7ea	Katja Luther	import java.util.Collection;
15	079268db	Andreas Kohlbecker	import java.util.EnumSet;
16	8e3d605b	Andreas Kohlbecker	import java.util.HashSet;
17	dd65a7ea	Katja Luther
18	a2239a81	Andreas Kohlbecker	import org.apache.log4j.Logger;
19	75d0aefd	Andreas Kohlbecker	import org.springframework.security.access.AccessDecisionManager;
20	5fb7d2db	Andreas Kohlbecker	import org.springframework.security.access.AccessDeniedException;
21	8e3d605b	Andreas Kohlbecker	import org.springframework.security.access.ConfigAttribute;
22	5fb7d2db	Andreas Kohlbecker	import org.springframework.security.authentication.InsufficientAuthenticationException;
23	dd65a7ea	Katja Luther	import org.springframework.security.core.Authentication;
24			import org.springframework.security.core.GrantedAuthority;
25	7b59c088	Andreas Kohlbecker	import org.springframework.stereotype.Component;
26	dd65a7ea	Katja Luther
27			import eu.etaxonomy.cdm.model.common.CdmBase;
28	7678ce2a	Andreas Müller
29			/**
30			* @author k.luther
31	5a845253	Andreas Kohlbecker	* @author a.kohlbecker
32	53db84af	Andreas Müller	* @since 06.07.2011
33	7678ce2a	Andreas Müller	*/
34	7b59c088	Andreas Kohlbecker	@Component
35	48ccf94a	Andreas Kohlbecker	public class CdmPermissionEvaluator implements ICdmPermissionEvaluator {
36	4ed38662	Andreas Kohlbecker
37	d5fe74be	Andreas Kohlbecker	protected static final Logger logger = Logger.getLogger(CdmPermissionEvaluator.class);
38	4ed38662	Andreas Kohlbecker
39	75d0aefd	Andreas Kohlbecker	private AccessDecisionManager accessDecisionManager;
40
41			public AccessDecisionManager getAccessDecisionManager() {
42			return accessDecisionManager;
43			}
44
45	12f13ee5	Cherian Mathew	public CdmPermissionEvaluator() {
46	ca5fe165	Andreas Kohlbecker
47			}
48
49	75d0aefd	Andreas Kohlbecker	public void setAccessDecisionManager(AccessDecisionManager accessDecisionManager) {
50			this.accessDecisionManager = accessDecisionManager;
51			}
52
53	5a845253	Andreas Kohlbecker	@Override
54	4ed38662	Andreas Kohlbecker	public boolean hasPermission(Authentication authentication,
55			Serializable targetId, String targetType, Object permission) {
56	e68c438e	Andreas Kohlbecker	logger.warn("UNINMPLEMENTED: hasPermission always returns false");
57	4ed38662	Andreas Kohlbecker	// TODO Auto-generated method stub
58			return false;
59			}
60	a2239a81	Andreas Kohlbecker
61	5a845253	Andreas Kohlbecker	@Override
62	7b59c088	Andreas Kohlbecker	public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
63	4ed38662	Andreas Kohlbecker
64	08582061	Andreas Kohlbecker
65	af113c74	Andreas Kohlbecker	EnumSet<CRUD> requiredOperation = null;
66	7b59c088	Andreas Kohlbecker
67	8f51ee96	Andreas Kohlbecker	TargetEntityStates cdmEntitiyStates;
68			if(targetDomainObject instanceof CdmBase){
69			cdmEntitiyStates = new TargetEntityStates((CdmBase)targetDomainObject);
70			} else {
71			cdmEntitiyStates = (TargetEntityStates)targetDomainObject;
72			}
73	8f2ded7b	Andreas Kohlbecker
74	d5fe74be	Andreas Kohlbecker	if(logger.isDebugEnabled()){
75	72ce5ca1	Andreas Kohlbecker	String targteDomainObjText = " Object: " + (targetDomainObject == null? "null":cdmEntitiyStates.getEntity().instanceToString());
76	af113c74	Andreas Kohlbecker	logUserAndRequirement(authentication, permission.toString(), targteDomainObjText);
77	4ed38662	Andreas Kohlbecker	}
78	079268db	Andreas Kohlbecker	try {
79	af113c74	Andreas Kohlbecker	requiredOperation = operationFrom(permission);
80	079268db	Andreas Kohlbecker
81			} catch (IllegalArgumentException e) {
82			logger.debug("permission string '"+ permission.toString() + "' not parsable => true");
83	f0aad502	Andreas Kohlbecker	return false;
84	08582061	Andreas Kohlbecker	}
85	4ed38662	Andreas Kohlbecker
86	72ce5ca1	Andreas Kohlbecker	return hasPermission(authentication, cdmEntitiyStates, requiredOperation);
87	f0aad502	Andreas Kohlbecker
88			}
89
90			/**
91			* @param authentication
92			* @param targetDomainObject
93			* @param requiredOperation
94			* @return
95			*/
96			@Override
97	72ce5ca1	Andreas Kohlbecker	public boolean hasPermission(Authentication authentication, CdmBase targetEntity, EnumSet<CRUD> requiredOperation) {
98			return hasPermission(authentication, new TargetEntityStates(targetEntity), requiredOperation);
99			}
100
101			/**
102			* @param authentication
103			* @param targetDomainObject
104			* @param requiredOperation
105			* @return
106			*/
107			@Override
108			public boolean hasPermission(Authentication authentication, TargetEntityStates targetEntityStates, EnumSet<CRUD> requiredOperation) {
109	f0aad502	Andreas Kohlbecker
110			if(authentication == null) {
111			return false;
112			}
113
114	72ce5ca1	Andreas Kohlbecker	CdmAuthority evalPermission = authorityRequiredFor(targetEntityStates.getEntity(), requiredOperation);
115	4ed38662	Andreas Kohlbecker
116	3e53ce69	Andreas Müller	if (evalPermission.getPermissionClass() != null) {
117	8e3d605b	Andreas Kohlbecker	logger.debug("starting evaluation => ...");
118	72ce5ca1	Andreas Kohlbecker	return evalPermission(authentication, evalPermission, targetEntityStates);
119	4ed38662	Andreas Kohlbecker	}else{
120	8e3d605b	Andreas Kohlbecker	logger.debug("skipping evaluation => true");
121	4ed38662	Andreas Kohlbecker	return true;
122	f8271faa	Katja Luther	}
123	a2239a81	Andreas Kohlbecker	}
124
125	af113c74	Andreas Kohlbecker
126			@Override
127			public <T extends CdmBase> boolean hasPermission(Authentication authentication, Class<T> targetDomainObjectClass,
128			EnumSet<CRUD> requiredOperations) {
129
130			if(authentication == null) {
131			return false;
132			}
133
134			if(logger.isDebugEnabled()){
135			String targteDomainObjClassText = " Cdm-Type: " + targetDomainObjectClass.getSimpleName();
136			logUserAndRequirement(authentication, requiredOperations.toString(), targteDomainObjClassText);
137			}
138
139			CdmAuthority evalPermission = new CdmAuthority(CdmPermissionClass.getValueOf(targetDomainObjectClass), null, requiredOperations, null);
140
141			T instance;
142			try {
143			Constructor<T> c = targetDomainObjectClass.getDeclaredConstructor();
144			c.setAccessible(true);
145			instance = c.newInstance();
146			} catch (InstantiationException \| IllegalAccessException \| NoSuchMethodException \| SecurityException \| IllegalArgumentException \| InvocationTargetException e) {
147			logger.error("Error while creating permission test instance ==> will deny", e);
148			return false;
149			}
150
151	72ce5ca1	Andreas Kohlbecker	return evalPermission(authentication, evalPermission, new TargetEntityStates(instance));
152	af113c74	Andreas Kohlbecker	}
153
154			/**
155			* @param authentication
156			* @param permission
157			* @param targteDomainObjText
158			*/
159			protected void logUserAndRequirement(Authentication authentication, String permissions, String targteDomainObjText) {
160			StringBuilder grantedAuthoritiesTxt = new StringBuilder();
161			for(GrantedAuthority ga : authentication.getAuthorities()){
162			grantedAuthoritiesTxt.append(" - ").append(ga.getAuthority()).append("\n");
163			}
164			if(grantedAuthoritiesTxt.length() == 0){
165			grantedAuthoritiesTxt.append(" - ").append("<No GrantedAuthority given>").append("\n");
166			}
167			logger.debug("hasPermission()\n"
168			+ " User '" + authentication.getName() + "':\n"
169			+ grantedAuthoritiesTxt
170			+ targteDomainObjText + "\n"
171			+ " Permission: " + permissions);
172			}
173
174			/**
175			* @param permission
176			* @return
177			*/
178			protected EnumSet<CRUD> operationFrom(Object permission) {
179			EnumSet<CRUD> requiredOperation;
180			// FIXME refactor into Operation ======
181			if (Operation.isOperation(permission)){
182			requiredOperation = (EnumSet<CRUD>)permission;
183			} else {
184			// try to treat as string
185			requiredOperation = Operation.fromString(permission.toString());
186			}
187			// =======================================
188			return requiredOperation;
189			}
190
191	dbf39472	Andreas Kohlbecker	/**
192			* @param targetEntity
193			* @param requiredOperation
194			* @return
195			*/
196			private CdmAuthority authorityRequiredFor(CdmBase targetEntity, EnumSet<CRUD> requiredOperation) {
197	f0aad502	Andreas Kohlbecker	CdmAuthority evalPermission = new CdmAuthority(targetEntity, requiredOperation);
198	dbf39472	Andreas Kohlbecker	return evalPermission;
199			}
200
201	a2239a81	Andreas Kohlbecker
202	75d0aefd	Andreas Kohlbecker	/**
203			* @param authorities
204			* @param evalPermission
205			* @param targetDomainObject
206			* @return
207			*/
208	72ce5ca1	Andreas Kohlbecker	private boolean evalPermission(Authentication authentication, CdmAuthority evalPermission, TargetEntityStates targetEntityStates){
209	a2239a81	Andreas Kohlbecker
210	4ed38662	Andreas Kohlbecker	//if user has administrator rights return true;
211	5a845253	Andreas Kohlbecker	if( hasOneOfRoles(authentication, Role.ROLE_ADMIN)){
212			return true;
213			}
214	4ed38662	Andreas Kohlbecker
215	8e3d605b	Andreas Kohlbecker	// === run voters
216			Collection<ConfigAttribute> attributes = new HashSet<ConfigAttribute>();
217			attributes.add(evalPermission);
218	adfc2cab	Andreas Kohlbecker
219	8e3d605b	Andreas Kohlbecker	logger.debug("AccessDecisionManager will decide ...");
220	5fb7d2db	Andreas Kohlbecker	try {
221	72ce5ca1	Andreas Kohlbecker	accessDecisionManager.decide(authentication, targetEntityStates, attributes);
222	5fb7d2db	Andreas Kohlbecker	} catch (InsufficientAuthenticationException e) {
223			logger.debug("AccessDecisionManager denied by " + e, e);
224			return false;
225			} catch (AccessDeniedException e) {
226			logger.debug("AccessDecisionManager denied by " + e, e);
227			return false;
228			}
229	adfc2cab	Andreas Kohlbecker
230	8e3d605b	Andreas Kohlbecker	return true;
231	a2239a81	Andreas Kohlbecker	}
232	dd65a7ea	Katja Luther
233	5a845253	Andreas Kohlbecker	/**
234			* @param authentication
235			*/
236	48ccf94a	Andreas Kohlbecker	@Override
237	5a845253	Andreas Kohlbecker	public boolean hasOneOfRoles(Authentication authentication, Role ... roles) {
238			for (GrantedAuthority authority: authentication.getAuthorities()){
239			for(Role role : roles){
240	6c86c7c2	Andreas Kohlbecker	if (role != null && authority.getAuthority().equals(role.getAuthority())){
241	5a845253	Andreas Kohlbecker	if(logger.isDebugEnabled()){
242			logger.debug(role.getAuthority() + " found => true");
243			}
244			return true;
245			}
246			}
247			}
248			return false;
249			}
250
251	dd65a7ea	Katja Luther	}

Project

General

Profile

EDIT