Overview  Package   Class  Use  Deprecated  Index
Home >> All >> org >> acegisecurity >> [ vote overview ]	PREV CLASS  NEXT CLASS
SUMMARY:  JAVADOC |  SOURCE |  DOWNLOAD | NESTED | FIELD | CONSTR | METHOD	DETAIL: FIELD | CONSTR | METHOD

---

org.acegisecurity.vote
Class BasicAclEntryVoter  

java.lang.Object
  org.acegisecurity.vote.AbstractAclVoter
      org.acegisecurity.vote.BasicAclEntryVoter

All Implemented Interfaces:

AccessDecisionVoter, org.springframework.beans.factory.InitializingBean

---

public class BasicAclEntryVoter

extends AbstractAclVoter

implements org.springframework.beans.factory.InitializingBean

Given a domain object instance passed as a method argument, ensures the principal has appropriate permission as defined by the org.acegisecurity.acl.AclManager.

The AclManager is used to retrieve the access control list (ACL) permissions associated with a domain object instance for the current Authentication object. This class is designed to process org.acegisecurity.acl.AclEntrys that are subclasses of org.acegisecurity.acl.basic.BasicAclEntry only. Generally these are obtained by using the org.acegisecurity.acl.basic.BasicAclProvider.

The voter will vote if any ConfigAttribute#getAttribute() matches the processConfigAttribute 55 . The provider will then locate the first method argument of type AbstractAclVoter.processDomainObjectClass 55 . Assuming that method argument is non-null, the provider will then lookup the ACLs from the AclManager and ensure the principal is BasicAclEntry.isPermitted(int)>BasicAclEntry.isPermitted(int) 55 for at least one of the requirePermission 55 s.

If the method argument is null, the voter will abstain from voting. If the method argument could not be found, an org.acegisecurity.AuthorizationServiceException will be thrown.

In practical terms users will typically setup a number of BasicAclEntryVoters. Each will have a different AbstractAclVoter.processDomainObjectClass 55 , processConfigAttribute 55 and requirePermission 55 combination. For example, a small application might employ the following instances of BasicAclEntryVoter:

• Process domain object class BankAccount, configuration attribute VOTE_ACL_BANK_ACCONT_READ, require permission SimpleAclEntry.READ
• Process domain object class BankAccount, configuration attribute VOTE_ACL_BANK_ACCOUNT_WRITE, require permission list SimpleAclEntry.WRITE and SimpleAclEntry.CREATE (allowing the principal to have either of these two permissions
• Process domain object class Customer, configuration attribute VOTE_ACL_CUSTOMER_READ, require permission SimpleAclEntry.READ
• Process domain object class Customer, configuration attribute VOTE_ACL_CUSTOMER_WRITE, require permission list SimpleAclEntry.WRITE and SimpleAclEntry.CREATE

Alternatively, you could have used a common superclass or interface for the AbstractAclVoter.processDomainObjectClass 55 if both BankAccount and Customer had common parents.

If the principal does not have sufficient permissions, the voter will vote to deny access.

The AclManager is allowed to return any implementations of AclEntry it wishes. However, this provider will only be able to validate against AbstractBasicAclEntrys, and thus a vote to deny access will be made if no AclEntry is of type AbstractBasicAclEntry.

All comparisons and prefixes are case sensitive.

Version:

$Id: BasicAclEntryVoter.java,v 1.8 2005/11/17 00:55:47 benalex Exp $

---

Field Summary
private  org.acegisecurity.acl.AclManager	aclManager
private  java.lang.String	internalMethod
private static org.apache.commons.logging.Log	logger
private  java.lang.String	processConfigAttribute
private  int[]	requirePermission

 

Fields inherited from class org.acegisecurity.vote.AbstractAclVoter

 

Fields inherited from interface org.acegisecurity.vote.AccessDecisionVoter

ACCESS_ABSTAIN, ACCESS_DENIED, ACCESS_GRANTED

 

Constructor Summary

BasicAclEntryVoter()

 

Method Summary
void	afterPropertiesSet()           Invoked by a BeanFactory after it has set all bean properties supplied (and satisfied BeanFactoryAware and ApplicationContextAware).
org.acegisecurity.acl.AclManager	getAclManager()
java.lang.String	getInternalMethod()           Optionally specifies a method of the domain object that will be used to obtain a contained domain object.
java.lang.String	getProcessConfigAttribute()
int[]	getRequirePermission()
void	setAclManager(org.acegisecurity.acl.AclManager aclManager)
void	setInternalMethod(java.lang.String internalMethod)
void	setProcessConfigAttribute(java.lang.String processConfigAttribute)
void	setRequirePermission(int[] requirePermission)
boolean	supports(ConfigAttribute attribute)           Indicates whether this AccessDecisionVoter is able to vote on the passed ConfigAttribute.
int	vote(org.acegisecurity.Authentication authentication, java.lang.Object object, ConfigAttributeDefinition config)           Indicates whether or not access is granted.

 

Methods inherited from class org.acegisecurity.vote.AbstractAclVoter

getDomainObjectInstance, getProcessDomainObjectClass, setProcessDomainObjectClass, supports

 

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

 

Field Detail

logger

private static final org.apache.commons.logging.Log logger

---

aclManager

private org.acegisecurity.acl.AclManager aclManager

---

internalMethod

private java.lang.String internalMethod

---

processConfigAttribute

private java.lang.String processConfigAttribute

---

requirePermission

private int[] requirePermission

Constructor Detail

BasicAclEntryVoter

public BasicAclEntryVoter()

Method Detail

setAclManager

public void setAclManager(org.acegisecurity.acl.AclManager aclManager)

---

getAclManager

public org.acegisecurity.acl.AclManager getAclManager()

---

setInternalMethod

public void setInternalMethod(java.lang.String internalMethod)

---

getInternalMethod

public java.lang.String getInternalMethod()

Optionally specifies a method of the domain object that will be used to obtain a contained domain object. That contained domain object will be used for the ACL evaluation. This is useful if a domain object contains a parent that an ACL evaluation should be targeted for, instead of the child domain object (which perhaps is being created and as such does not yet have any ACL permissions)

---

setProcessConfigAttribute

public void setProcessConfigAttribute(java.lang.String processConfigAttribute)

---

getProcessConfigAttribute

public java.lang.String getProcessConfigAttribute()

---

setRequirePermission

public void setRequirePermission(int[] requirePermission)

---

getRequirePermission

public int[] getRequirePermission()

---

afterPropertiesSet

public void afterPropertiesSet()
                        throws java.lang.Exception

Description copied from interface: org.springframework.beans.factory.InitializingBean

Invoked by a BeanFactory after it has set all bean properties supplied (and satisfied BeanFactoryAware and ApplicationContextAware).

This method allows the bean instance to perform initialization only possible when all bean properties have been set and to throw an exception in the event of misconfiguration.

Specified by:

afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean

---

supports

public boolean supports(ConfigAttribute attribute)

Description copied from interface: AccessDecisionVoter

Indicates whether this AccessDecisionVoter is able to vote on the passed ConfigAttribute.

This allows the AbstractSecurityInterceptor to check every configuration attribute can be consumed by the configured AccessDecisionManager and/or RunAsManager and/or AccessDecisionManager.

Specified by:

supports in interface AccessDecisionVoter

Overrides:

supports in class AbstractAclVoter

---

vote

public int vote(org.acegisecurity.Authentication authentication,
                java.lang.Object object,
                ConfigAttributeDefinition config)

Description copied from interface: AccessDecisionVoter

Indicates whether or not access is granted.

The decision must be affirmative (ACCESS_GRANTED), negative (ACCESS_DENIED) or the AccessDecisionVoter can abstain (ACCESS_ABSTAIN) from voting. Under no circumstances should implementing classes return any other value. If a weighting of results is desired, this should be handled in a custom org.acegisecurity.AccessDecisionManager instead.

Unless an AccessDecisionVoter is specifically intended to vote on an access control decision due to a passed method invocation or configuration attribute parameter, it must return ACCESS_ABSTAIN. This prevents the coordinating AccessDecisionManager from counting votes from those AccessDecisionVoters without a legitimate interest in the access control decision.

Whilst the method invocation is passed as a parameter to maximise flexibility in making access control decisions, implementing classes must never modify the behaviour of the method invocation (such as calling MethodInvocation.proceed()).

Specified by:

vote in interface AccessDecisionVoter

---

Overview  Package   Class  Use  Deprecated  Index
Home >> All >> org >> acegisecurity >> [ vote overview ]	PREV CLASS  NEXT CLASS
SUMMARY:  JAVADOC |  SOURCE |  DOWNLOAD | NESTED | FIELD | CONSTR | METHOD	DETAIL: FIELD | CONSTR | METHOD

---