Search in sources :

Example 21 with MutableAcl

use of org.springframework.security.acls.model.MutableAcl in project spring-security by spring-projects.

the class EhCacheBasedAclCacheTests method testDiskSerializationOfMutableAclObjectInstance.

// SEC-527
@Test
public void testDiskSerializationOfMutableAclObjectInstance() throws Exception {
    // Serialization test
    File file = File.createTempFile("SEC_TEST", ".object");
    FileOutputStream fos = new FileOutputStream(file);
    ObjectOutputStream oos = new ObjectOutputStream(fos);
    oos.writeObject(acl);
    oos.close();
    FileInputStream fis = new FileInputStream(file);
    ObjectInputStream ois = new ObjectInputStream(fis);
    MutableAcl retrieved = (MutableAcl) ois.readObject();
    ois.close();
    assertThat(retrieved).isEqualTo(acl);
    Object retrieved1 = FieldUtils.getProtectedFieldValue("aclAuthorizationStrategy", retrieved);
    assertThat(retrieved1).isEqualTo(null);
    Object retrieved2 = FieldUtils.getProtectedFieldValue("permissionGrantingStrategy", retrieved);
    assertThat(retrieved2).isEqualTo(null);
}
Also used : FileOutputStream(java.io.FileOutputStream) MutableAcl(org.springframework.security.acls.model.MutableAcl) ObjectOutputStream(java.io.ObjectOutputStream) File(java.io.File) FileInputStream(java.io.FileInputStream) ObjectInputStream(java.io.ObjectInputStream) Test(org.junit.Test)

Example 22 with MutableAcl

use of org.springframework.security.acls.model.MutableAcl in project spring-security by spring-projects.

the class JdbcMutableAclServiceTests method testLifecycle.

@Test
@Transactional
public void testLifecycle() {
    SecurityContextHolder.getContext().setAuthentication(auth);
    MutableAcl topParent = jdbcMutableAclService.createAcl(topParentOid);
    MutableAcl middleParent = jdbcMutableAclService.createAcl(middleParentOid);
    MutableAcl child = jdbcMutableAclService.createAcl(childOid);
    // Specify the inheritance hierarchy
    middleParent.setParent(topParent);
    child.setParent(middleParent);
    // Now let's add a couple of permissions
    topParent.insertAce(0, BasePermission.READ, new PrincipalSid(auth), true);
    topParent.insertAce(1, BasePermission.WRITE, new PrincipalSid(auth), false);
    middleParent.insertAce(0, BasePermission.DELETE, new PrincipalSid(auth), true);
    child.insertAce(0, BasePermission.DELETE, new PrincipalSid(auth), false);
    // Explicitly save the changed ACL
    jdbcMutableAclService.updateAcl(topParent);
    jdbcMutableAclService.updateAcl(middleParent);
    jdbcMutableAclService.updateAcl(child);
    // Let's check if we can read them back correctly
    Map<ObjectIdentity, Acl> map = jdbcMutableAclService.readAclsById(Arrays.asList(topParentOid, middleParentOid, childOid));
    assertThat(map).hasSize(3);
    // Replace our current objects with their retrieved versions
    topParent = (MutableAcl) map.get(topParentOid);
    middleParent = (MutableAcl) map.get(middleParentOid);
    child = (MutableAcl) map.get(childOid);
    // Check the retrieved versions has IDs
    assertThat(topParent.getId()).isNotNull();
    assertThat(middleParent.getId()).isNotNull();
    assertThat(child.getId()).isNotNull();
    // Check their parents were correctly persisted
    assertThat(topParent.getParentAcl()).isNull();
    assertThat(middleParent.getParentAcl().getObjectIdentity()).isEqualTo(topParentOid);
    assertThat(child.getParentAcl().getObjectIdentity()).isEqualTo(middleParentOid);
    // Check their ACEs were correctly persisted
    assertThat(topParent.getEntries()).hasSize(2);
    assertThat(middleParent.getEntries()).hasSize(1);
    assertThat(child.getEntries()).hasSize(1);
    // Check the retrieved rights are correct
    List<Permission> read = Arrays.asList(BasePermission.READ);
    List<Permission> write = Arrays.asList(BasePermission.WRITE);
    List<Permission> delete = Arrays.asList(BasePermission.DELETE);
    List<Sid> pSid = Arrays.asList((Sid) new PrincipalSid(auth));
    assertThat(topParent.isGranted(read, pSid, false)).isTrue();
    assertThat(topParent.isGranted(write, pSid, false)).isFalse();
    assertThat(middleParent.isGranted(delete, pSid, false)).isTrue();
    assertThat(child.isGranted(delete, pSid, false)).isFalse();
    try {
        child.isGranted(Arrays.asList(BasePermission.ADMINISTRATION), pSid, false);
        fail("Should have thrown NotFoundException");
    } catch (NotFoundException expected) {
    }
    // Now check the inherited rights (when not explicitly overridden) also look OK
    assertThat(child.isGranted(read, pSid, false)).isTrue();
    assertThat(child.isGranted(write, pSid, false)).isFalse();
    assertThat(child.isGranted(delete, pSid, false)).isFalse();
    // Next change the child so it doesn't inherit permissions from above
    child.setEntriesInheriting(false);
    jdbcMutableAclService.updateAcl(child);
    child = (MutableAcl) jdbcMutableAclService.readAclById(childOid);
    assertThat(child.isEntriesInheriting()).isFalse();
    // Check the child permissions no longer inherit
    assertThat(child.isGranted(delete, pSid, true)).isFalse();
    try {
        child.isGranted(read, pSid, true);
        fail("Should have thrown NotFoundException");
    } catch (NotFoundException expected) {
    }
    try {
        child.isGranted(write, pSid, true);
        fail("Should have thrown NotFoundException");
    } catch (NotFoundException expected) {
    }
    // Let's add an identical permission to the child, but it'll appear AFTER the
    // current permission, so has no impact
    child.insertAce(1, BasePermission.DELETE, new PrincipalSid(auth), true);
    // Let's also add another permission to the child
    child.insertAce(2, BasePermission.CREATE, new PrincipalSid(auth), true);
    // Save the changed child
    jdbcMutableAclService.updateAcl(child);
    child = (MutableAcl) jdbcMutableAclService.readAclById(childOid);
    assertThat(child.getEntries()).hasSize(3);
    // Output permissions
    for (int i = 0; i < child.getEntries().size(); i++) {
        System.out.println(child.getEntries().get(i));
    }
    // Check the permissions are as they should be
    // as earlier permission
    assertThat(child.isGranted(delete, pSid, true)).isFalse();
    // overrode
    assertThat(child.isGranted(Arrays.asList(BasePermission.CREATE), pSid, true)).isTrue();
    // Now check the first ACE (index 0) really is DELETE for our Sid and is
    // non-granting
    AccessControlEntry entry = child.getEntries().get(0);
    assertThat(entry.getPermission().getMask()).isEqualTo(BasePermission.DELETE.getMask());
    assertThat(entry.getSid()).isEqualTo(new PrincipalSid(auth));
    assertThat(entry.isGranting()).isFalse();
    assertThat(entry.getId()).isNotNull();
    // Now delete that first ACE
    child.deleteAce(0);
    // Save and check it worked
    child = jdbcMutableAclService.updateAcl(child);
    assertThat(child.getEntries()).hasSize(2);
    assertThat(child.isGranted(delete, pSid, false)).isTrue();
    SecurityContextHolder.clearContext();
}
Also used : ObjectIdentity(org.springframework.security.acls.model.ObjectIdentity) Permission(org.springframework.security.acls.model.Permission) BasePermission(org.springframework.security.acls.domain.BasePermission) CumulativePermission(org.springframework.security.acls.domain.CumulativePermission) NotFoundException(org.springframework.security.acls.model.NotFoundException) AccessControlEntry(org.springframework.security.acls.model.AccessControlEntry) MutableAcl(org.springframework.security.acls.model.MutableAcl) MutableAcl(org.springframework.security.acls.model.MutableAcl) Acl(org.springframework.security.acls.model.Acl) PrincipalSid(org.springframework.security.acls.domain.PrincipalSid) CustomSid(org.springframework.security.acls.sid.CustomSid) Sid(org.springframework.security.acls.model.Sid) GrantedAuthoritySid(org.springframework.security.acls.domain.GrantedAuthoritySid) PrincipalSid(org.springframework.security.acls.domain.PrincipalSid) Test(org.junit.Test) Transactional(org.springframework.transaction.annotation.Transactional)

Example 23 with MutableAcl

use of org.springframework.security.acls.model.MutableAcl in project spring-security by spring-projects.

the class SpringCacheBasedAclCacheTests method cacheOperationsAclWithoutParent.

@SuppressWarnings("rawtypes")
@Test
public void cacheOperationsAclWithoutParent() throws Exception {
    Cache cache = getCache();
    Map realCache = (Map) cache.getNativeCache();
    ObjectIdentity identity = new ObjectIdentityImpl(TARGET_CLASS, Long.valueOf(100));
    AclAuthorizationStrategy aclAuthorizationStrategy = new AclAuthorizationStrategyImpl(new SimpleGrantedAuthority("ROLE_OWNERSHIP"), new SimpleGrantedAuthority("ROLE_AUDITING"), new SimpleGrantedAuthority("ROLE_GENERAL"));
    AuditLogger auditLogger = new ConsoleAuditLogger();
    PermissionGrantingStrategy permissionGrantingStrategy = new DefaultPermissionGrantingStrategy(auditLogger);
    SpringCacheBasedAclCache myCache = new SpringCacheBasedAclCache(cache, permissionGrantingStrategy, aclAuthorizationStrategy);
    MutableAcl acl = new AclImpl(identity, Long.valueOf(1), aclAuthorizationStrategy, auditLogger);
    assertThat(realCache).isEmpty();
    myCache.putInCache(acl);
    // Check we can get from cache the same objects we put in
    assertThat(acl).isEqualTo(myCache.getFromCache(Long.valueOf(1)));
    assertThat(acl).isEqualTo(myCache.getFromCache(identity));
    // Put another object in cache
    ObjectIdentity identity2 = new ObjectIdentityImpl(TARGET_CLASS, Long.valueOf(101));
    MutableAcl acl2 = new AclImpl(identity2, Long.valueOf(2), aclAuthorizationStrategy, new ConsoleAuditLogger());
    myCache.putInCache(acl2);
    // Try to evict an entry that doesn't exist
    myCache.evictFromCache(Long.valueOf(3));
    myCache.evictFromCache(new ObjectIdentityImpl(TARGET_CLASS, Long.valueOf(102)));
    assertThat(4).isEqualTo(realCache.size());
    myCache.evictFromCache(Long.valueOf(1));
    assertThat(2).isEqualTo(realCache.size());
    // Check the second object inserted
    assertThat(acl2).isEqualTo(myCache.getFromCache(Long.valueOf(2)));
    assertThat(acl2).isEqualTo(myCache.getFromCache(identity2));
    myCache.evictFromCache(identity2);
    assertThat(0).isEqualTo(realCache.size());
}
Also used : SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority) PermissionGrantingStrategy(org.springframework.security.acls.model.PermissionGrantingStrategy) ObjectIdentity(org.springframework.security.acls.model.ObjectIdentity) MutableAcl(org.springframework.security.acls.model.MutableAcl) Map(java.util.Map) Cache(org.springframework.cache.Cache) Test(org.junit.Test)

Example 24 with MutableAcl

use of org.springframework.security.acls.model.MutableAcl in project spring-security by spring-projects.

the class SpringCacheBasedAclCache method evictFromCache.

public void evictFromCache(ObjectIdentity objectIdentity) {
    Assert.notNull(objectIdentity, "ObjectIdentity required");
    MutableAcl acl = getFromCache(objectIdentity);
    if (acl != null) {
        cache.evict(acl.getId());
        cache.evict(acl.getObjectIdentity());
    }
}
Also used : MutableAcl(org.springframework.security.acls.model.MutableAcl)

Example 25 with MutableAcl

use of org.springframework.security.acls.model.MutableAcl in project spring-security by spring-projects.

the class ContactManagerBackend method deletePermission.

public void deletePermission(Contact contact, Sid recipient, Permission permission) {
    ObjectIdentity oid = new ObjectIdentityImpl(Contact.class, contact.getId());
    MutableAcl acl = (MutableAcl) mutableAclService.readAclById(oid);
    // Remove all permissions associated with this particular recipient (string
    // equality to KISS)
    List<AccessControlEntry> entries = acl.getEntries();
    for (int i = 0; i < entries.size(); i++) {
        if (entries.get(i).getSid().equals(recipient) && entries.get(i).getPermission().equals(permission)) {
            acl.deleteAce(i);
        }
    }
    mutableAclService.updateAcl(acl);
    if (logger.isDebugEnabled()) {
        logger.debug("Deleted contact " + contact + " ACL permissions for recipient " + recipient);
    }
}
Also used : ObjectIdentity(org.springframework.security.acls.model.ObjectIdentity) ObjectIdentityImpl(org.springframework.security.acls.domain.ObjectIdentityImpl) AccessControlEntry(org.springframework.security.acls.model.AccessControlEntry) MutableAcl(org.springframework.security.acls.model.MutableAcl)

Aggregations

MutableAcl (org.springframework.security.acls.model.MutableAcl)27 Test (org.junit.Test)14 ObjectIdentity (org.springframework.security.acls.model.ObjectIdentity)13 PrincipalSid (org.springframework.security.acls.domain.PrincipalSid)8 Authentication (org.springframework.security.core.Authentication)8 ObjectIdentityImpl (org.springframework.security.acls.domain.ObjectIdentityImpl)7 TestingAuthenticationToken (org.springframework.security.authentication.TestingAuthenticationToken)7 Transactional (org.springframework.transaction.annotation.Transactional)7 NotFoundException (org.springframework.security.acls.model.NotFoundException)6 SimpleGrantedAuthority (org.springframework.security.core.authority.SimpleGrantedAuthority)5 Element (net.sf.ehcache.Element)4 GrantedAuthoritySid (org.springframework.security.acls.domain.GrantedAuthoritySid)4 BasePermission (org.springframework.security.acls.domain.BasePermission)3 Acl (org.springframework.security.acls.model.Acl)3 Permission (org.springframework.security.acls.model.Permission)3 Sid (org.springframework.security.acls.model.Sid)3 Map (java.util.Map)2 Cache (org.springframework.cache.Cache)2 CumulativePermission (org.springframework.security.acls.domain.CumulativePermission)2 AccessControlEntry (org.springframework.security.acls.model.AccessControlEntry)2