|
|||||||||
| Home >> All >> net >> sf >> acegisecurity >> [ vote overview ] | PREV CLASS NEXT CLASS | ||||||||
SUMMARY:  JAVADOC |  SOURCE |  DOWNLOAD | NESTED | FIELD | CONSTR | METHOD |
DETAIL: FIELD | CONSTR | METHOD | ||||||||
net.sf.acegisecurity.vote
Class BasicAclEntryVoter
java.lang.Objectnet.sf.acegisecurity.vote.BasicAclEntryVoter
- All Implemented Interfaces:
- AccessDecisionVoter, org.springframework.beans.factory.InitializingBean
- public class BasicAclEntryVoter
- extends java.lang.Object
- implements AccessDecisionVoter, org.springframework.beans.factory.InitializingBean
- extends java.lang.Object
Given a domain object instance passed as a method argument, ensures the principal has appropriate permission as defined by the net.sf.acegisecurity.acl.AclManager.
The AclManager is used to retrieve the access control list
(ACL) permissions associated with a domain object instance for the current
Authentication object. This class is designed to process
net.sf.acegisecurity.acl.AclEntrys that are subclasses of net.sf.acegisecurity.acl.basic.AbstractBasicAclEntry only. Generally these
are obtained by using the net.sf.acegisecurity.acl.basic.BasicAclProvider.
The voter will vote if any ConfigAttribute.getAttribute()>ConfigAttribute.getAttribute() 55 matches
the processConfigAttribute 55 . The provider will then locate the
first method argument of type processDomainObjectClass 55 . Assuming
that method argument is non-null, the provider will then lookup the ACLs
from the AclManager and ensure the principal is AbstractBasicAclEntry.isPermitted(int)>AbstractBasicAclEntry.isPermitted(int) 55 for
at least one of the requirePermission 55 s.
If the method argument is null, the voter will abstain from
voting. If the method argument could not be found, an net.sf.acegisecurity.AuthorizationServiceException will be thrown.
In practical terms users will typically setup a number of
BasicAclEntryVoters. Each will have a different processDomainObjectClass 55 , processConfigAttribute 55 and requirePermission 55 combination. For example, a small application might
employ the following instances of BasicAclEntryVoter:
-
Process domain object class
BankAccount, configuration attributeVOTE_ACL_BANK_ACCONT_READ, require permissionSimpleAclEntry.READ -
Process domain object class
BankAccount, configuration attributeVOTE_ACL_BANK_ACCOUNT_WRITE, require permission listSimpleAclEntry.WRITEandSimpleAclEntry.CREATE(allowing the principal to have either of these two permissions -
Process domain object class
Customer, configuration attributeVOTE_ACL_CUSTOMER_READ, require permissionSimpleAclEntry.READ -
Process domain object class
Customer, configuration attributeVOTE_ACL_CUSTOMER_WRITE, require permission listSimpleAclEntry.WRITEandSimpleAclEntry.CREATE
processDomainObjectClass 55 if both BankAccount and
Customer had common parents.
If the principal does not have sufficient permissions, the voter will vote to deny access.
The AclManager is allowed to return any implementations of
AclEntry it wishes. However, this provider will only be able
to validate against AbstractBasicAclEntrys, and thus a vote to
deny access will be made if no AclEntry is of type
AbstractBasicAclEntry.
All comparisons and prefixes are case sensitive.
- Version:
- $Id: BasicAclEntryVoter.java,v 1.4 2005/04/15 01:21:41 luke_t Exp $
| Field Summary | |
private net.sf.acegisecurity.acl.AclManager |
aclManager
|
private java.lang.String |
internalMethod
|
private static org.apache.commons.logging.Log |
logger
|
private java.lang.String |
processConfigAttribute
|
private java.lang.Class |
processDomainObjectClass
|
private int[] |
requirePermission
|
| Fields inherited from interface net.sf.acegisecurity.vote.AccessDecisionVoter |
ACCESS_ABSTAIN, ACCESS_DENIED, ACCESS_GRANTED |
| Constructor Summary | |
BasicAclEntryVoter()
|
|
| Method Summary | |
void |
afterPropertiesSet()
Invoked by a BeanFactory after it has set all bean properties supplied (and satisfied BeanFactoryAware and ApplicationContextAware). |
net.sf.acegisecurity.acl.AclManager |
getAclManager()
|
private java.lang.Object |
getDomainObjectInstance(java.lang.Object secureObject)
|
java.lang.String |
getInternalMethod()
Optionally specifies a method of the domain object that will be used to obtain a contained domain object. |
java.lang.String |
getProcessConfigAttribute()
|
java.lang.Class |
getProcessDomainObjectClass()
|
int[] |
getRequirePermission()
|
void |
setAclManager(net.sf.acegisecurity.acl.AclManager aclManager)
|
void |
setInternalMethod(java.lang.String internalMethod)
|
void |
setProcessConfigAttribute(java.lang.String processConfigAttribute)
|
void |
setProcessDomainObjectClass(java.lang.Class processDomainObjectClass)
|
void |
setRequirePermission(int[] requirePermission)
|
boolean |
supports(java.lang.Class clazz)
This implementation supports only MethodSecurityInterceptor, because it queries the
presented MethodInvocation. |
boolean |
supports(net.sf.acegisecurity.ConfigAttribute attribute)
Indicates whether this AccessDecisionVoter is able to vote
on the passed ConfigAttribute. |
int |
vote(net.sf.acegisecurity.Authentication authentication,
java.lang.Object object,
net.sf.acegisecurity.ConfigAttributeDefinition config)
Indicates whether or not access is granted. |
| Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
| Field Detail |
logger
private static final org.apache.commons.logging.Log logger
aclManager
private net.sf.acegisecurity.acl.AclManager aclManager
processDomainObjectClass
private java.lang.Class processDomainObjectClass
internalMethod
private java.lang.String internalMethod
processConfigAttribute
private java.lang.String processConfigAttribute
requirePermission
private int[] requirePermission
| Constructor Detail |
BasicAclEntryVoter
public BasicAclEntryVoter()
| Method Detail |
setAclManager
public void setAclManager(net.sf.acegisecurity.acl.AclManager aclManager)
getAclManager
public net.sf.acegisecurity.acl.AclManager getAclManager()
setInternalMethod
public void setInternalMethod(java.lang.String internalMethod)
getInternalMethod
public java.lang.String getInternalMethod()
- Optionally specifies a method of the domain object that will be used to
obtain a contained domain object. That contained domain object will be
used for the ACL evaluation. This is useful if a domain object contains
a parent that an ACL evaluation should be targeted for, instead of the
child domain object (which perhaps is being created and as such does
not yet have any ACL permissions)
setProcessConfigAttribute
public void setProcessConfigAttribute(java.lang.String processConfigAttribute)
getProcessConfigAttribute
public java.lang.String getProcessConfigAttribute()
setProcessDomainObjectClass
public void setProcessDomainObjectClass(java.lang.Class processDomainObjectClass)
getProcessDomainObjectClass
public java.lang.Class getProcessDomainObjectClass()
setRequirePermission
public void setRequirePermission(int[] requirePermission)
getRequirePermission
public int[] getRequirePermission()
afterPropertiesSet
public void afterPropertiesSet()
throws java.lang.Exception
- Description copied from interface:
org.springframework.beans.factory.InitializingBean - Invoked by a BeanFactory after it has set all bean properties supplied
(and satisfied BeanFactoryAware and ApplicationContextAware).
This method allows the bean instance to perform initialization only possible when all bean properties have been set and to throw an exception in the event of misconfiguration.
- Specified by:
afterPropertiesSetin interfaceorg.springframework.beans.factory.InitializingBean
supports
public boolean supports(net.sf.acegisecurity.ConfigAttribute attribute)
- Description copied from interface:
AccessDecisionVoter - Indicates whether this
AccessDecisionVoteris able to vote on the passedConfigAttribute.This allows the
AbstractSecurityInterceptorto check every configuration attribute can be consumed by the configuredAccessDecisionManagerand/orRunAsManagerand/orAccessDecisionManager.- Specified by:
supportsin interfaceAccessDecisionVoter
supports
public boolean supports(java.lang.Class clazz)
- This implementation supports only
MethodSecurityInterceptor, because it queries the presentedMethodInvocation.- Specified by:
supportsin interfaceAccessDecisionVoter
vote
public int vote(net.sf.acegisecurity.Authentication authentication, java.lang.Object object, net.sf.acegisecurity.ConfigAttributeDefinition config)
- Description copied from interface:
AccessDecisionVoter - Indicates whether or not access is granted.
The decision must be affirmative (
ACCESS_GRANTED), negative (ACCESS_DENIED) or theAccessDecisionVotercan abstain (ACCESS_ABSTAIN) from voting. Under no circumstances should implementing classes return any other value. If a weighting of results is desired, this should be handled in a custom net.sf.acegisecurity.AccessDecisionManager instead.Unless an
AccessDecisionVoteris specifically intended to vote on an access control decision due to a passed method invocation or configuration attribute parameter, it must returnACCESS_ABSTAIN. This prevents the coordinatingAccessDecisionManagerfrom counting votes from thoseAccessDecisionVoters without a legitimate interest in the access control decision.Whilst the method invocation is passed as a parameter to maximise flexibility in making access control decisions, implementing classes must never modify the behaviour of the method invocation (such as calling
MethodInvocation.proceed()).- Specified by:
votein interfaceAccessDecisionVoter
getDomainObjectInstance
private java.lang.Object getDomainObjectInstance(java.lang.Object secureObject)
|
|||||||||
| Home >> All >> net >> sf >> acegisecurity >> [ vote overview ] | PREV CLASS NEXT CLASS | ||||||||
|
SUMMARY: JAVADOC | SOURCE | DOWNLOAD | NESTED | FIELD | CONSTR | METHOD |
DETAIL: FIELD | CONSTR | METHOD | ||||||||