Example 1 with ConfigAttributeDefinition
use of org.alfresco.module.org_alfresco_module_rm.capability.policy.ConfigAttributeDefinition in project records-management by Alfresco.
the class RMEntryVoter method vote.
/**
* @see net.sf.acegisecurity.vote.AccessDecisionVoter#vote(net.sf.acegisecurity.Authentication, java.lang.Object, net.sf.acegisecurity.ConfigAttributeDefinition)
*/
@SuppressWarnings("rawtypes")
public int vote(Authentication authentication, Object object, net.sf.acegisecurity.ConfigAttributeDefinition config) {
// logging
RMMethodSecurityInterceptor.isRMSecurityChecked(true);
MethodInvocation mi = (MethodInvocation) object;
if (transactionalResourceHelper.isResourcePresent("voting")) {
if (logger.isDebugEnabled()) {
logger.debug(" .. grant access already voting: " + mi.getMethod().getDeclaringClass().getName() + "." + mi.getMethod().getName());
}
return AccessDecisionVoter.ACCESS_GRANTED;
}
if (logger.isDebugEnabled()) {
logger.debug("Method: " + mi.getMethod().getDeclaringClass().getName() + "." + mi.getMethod().getName());
}
alfrescoTransactionSupport.bindResource("voting", true);
try {
// The system user can do anything
if (authenticationUtil.isRunAsUserTheSystemUser()) {
if (logger.isDebugEnabled()) {
logger.debug("Access granted for the system user");
}
return AccessDecisionVoter.ACCESS_GRANTED;
}
List<ConfigAttributeDefinition> supportedDefinitions = extractSupportedDefinitions(config);
// No RM definitions so we do not vote
if (supportedDefinitions.size() == 0) {
return AccessDecisionVoter.ACCESS_ABSTAIN;
}
// check we have an instance of a method invocation
if (!(object instanceof MethodInvocation)) {
// we expect a method invocation
throw new AlfrescoRuntimeException("Passed object is not an instance of MethodInvocation as expected.");
}
// get information about the method
MethodInvocation invocation = (MethodInvocation) object;
Method method = invocation.getMethod();
Class[] params = method.getParameterTypes();
for (ConfigAttributeDefinition cad : supportedDefinitions) {
// Whatever is found first takes precedence
if (cad.getTypeString().equals(ConfigAttributeDefinition.RM_DENY)) {
// log message
RMMethodSecurityInterceptor.addMessage("RM_DENY: check that a security policy has been set for this method");
return AccessDecisionVoter.ACCESS_DENIED;
} else if (cad.getTypeString().equals(ConfigAttributeDefinition.RM_ABSTAIN)) {
return AccessDecisionVoter.ACCESS_ABSTAIN;
} else if (cad.getTypeString().equals(ConfigAttributeDefinition.RM_ALLOW)) {
return AccessDecisionVoter.ACCESS_GRANTED;
} else // It is distinguished from RM_ALLOW so query may have additional behaviour in the future
if (cad.getTypeString().equals(ConfigAttributeDefinition.RM_QUERY)) {
return AccessDecisionVoter.ACCESS_GRANTED;
} else // These entries effectively abstain
if (((cad.getParameters().get(0) != null) && (cad.getParameters().get(0) >= invocation.getArguments().length)) || ((cad.getParameters().get(1) != null) && (cad.getParameters().get(1) >= invocation.getArguments().length))) {
continue;
} else if (cad.getTypeString().equals(ConfigAttributeDefinition.RM_CAP)) {
switch(checkCapability(invocation, params, cad)) {
case AccessDecisionVoter.ACCESS_DENIED:
{
return AccessDecisionVoter.ACCESS_DENIED;
}
case AccessDecisionVoter.ACCESS_ABSTAIN:
{
if (logger.isDebugEnabled()) {
if (logger.isTraceEnabled()) {
logger.trace("Capability " + cad.getRequired() + " abstained for " + invocation.getMethod(), new IllegalStateException());
} else {
logger.debug("Capability " + cad.getRequired() + " abstained for " + invocation.getMethod());
}
}
// abstain denies
return AccessDecisionVoter.ACCESS_DENIED;
}
case AccessDecisionVoter.ACCESS_GRANTED:
{
break;
}
}
} else if (cad.getTypeString().equals(ConfigAttributeDefinition.RM)) {
switch(checkPolicy(invocation, params, cad)) {
case AccessDecisionVoter.ACCESS_DENIED:
{
// log message
RMMethodSecurityInterceptor.addMessage("Policy " + cad.getPolicyName() + " denied.");
return AccessDecisionVoter.ACCESS_DENIED;
}
case AccessDecisionVoter.ACCESS_ABSTAIN:
{
if (logger.isDebugEnabled()) {
if (logger.isTraceEnabled()) {
logger.trace("Policy " + cad.getPolicyName() + " abstained for " + invocation.getMethod(), new IllegalStateException());
} else {
logger.debug("Policy " + cad.getPolicyName() + " abstained for " + invocation.getMethod());
}
}
// abstain denies
return AccessDecisionVoter.ACCESS_DENIED;
}
case AccessDecisionVoter.ACCESS_GRANTED:
{
break;
}
}
}
}
} finally {
alfrescoTransactionSupport.unbindResource("voting");
}
// all voted to allow
return AccessDecisionVoter.ACCESS_GRANTED;
}
Also used :
ConfigAttributeDefinition(org.alfresco.module.org_alfresco_module_rm.capability.policy.ConfigAttributeDefinition)
AlfrescoRuntimeException(org.alfresco.error.AlfrescoRuntimeException)
MethodInvocation(org.aopalliance.intercept.MethodInvocation)
Method(java.lang.reflect.Method)
Example 2 with ConfigAttributeDefinition
use of org.alfresco.module.org_alfresco_module_rm.capability.policy.ConfigAttributeDefinition in project records-management by Alfresco.
the class RMEntryVoter method extractSupportedDefinitions.
/**
* @param config
* @return
*/
@SuppressWarnings("rawtypes")
private List<ConfigAttributeDefinition> extractSupportedDefinitions(net.sf.acegisecurity.ConfigAttributeDefinition config) {
List<ConfigAttributeDefinition> definitions = new ArrayList<ConfigAttributeDefinition>(2);
Iterator iter = config.getConfigAttributes();
while (iter.hasNext()) {
ConfigAttribute attr = (ConfigAttribute) iter.next();
if (this.supports(attr)) {
definitions.add(new ConfigAttributeDefinition(attr, nspr));
}
}
return definitions;
}
Also used :
ConfigAttribute(net.sf.acegisecurity.ConfigAttribute)
ConfigAttributeDefinition(org.alfresco.module.org_alfresco_module_rm.capability.policy.ConfigAttributeDefinition)
ArrayList(java.util.ArrayList)
Iterator(java.util.Iterator)
Aggregations
ConfigAttributeDefinition (org.alfresco.module.org_alfresco_module_rm.capability.policy.ConfigAttributeDefinition)2
Method (java.lang.reflect.Method)1
ArrayList (java.util.ArrayList)1
Iterator (java.util.Iterator)1
ConfigAttribute (net.sf.acegisecurity.ConfigAttribute)1
AlfrescoRuntimeException (org.alfresco.error.AlfrescoRuntimeException)1
MethodInvocation (org.aopalliance.intercept.MethodInvocation)1
