Search in sources :

Example 1 with ObjectIdentity

use of org.springframework.security.acls.model.ObjectIdentity in project spring-security by spring-projects.

the class ContactManagerBackend method addPermission.

public void addPermission(Contact contact, Sid recipient, Permission permission) {
    MutableAcl acl;
    ObjectIdentity oid = new ObjectIdentityImpl(Contact.class, contact.getId());
    try {
        acl = (MutableAcl) mutableAclService.readAclById(oid);
    } catch (NotFoundException nfe) {
        acl = mutableAclService.createAcl(oid);
    }
    acl.insertAce(acl.getEntries().size(), permission, recipient, true);
    mutableAclService.updateAcl(acl);
    logger.debug("Added permission " + permission + " for Sid " + recipient + " contact " + contact);
}
Also used : ObjectIdentity(org.springframework.security.acls.model.ObjectIdentity) ObjectIdentityImpl(org.springframework.security.acls.domain.ObjectIdentityImpl) NotFoundException(org.springframework.security.acls.model.NotFoundException) MutableAcl(org.springframework.security.acls.model.MutableAcl)

Example 2 with ObjectIdentity

use of org.springframework.security.acls.model.ObjectIdentity in project spring-security by spring-projects.

the class AclImplementationSecurityCheckTests method testSecurityCheckWithMultipleACEs.

@Test
public void testSecurityCheckWithMultipleACEs() throws Exception {
    // Create a simple authentication with ROLE_GENERAL
    Authentication auth = new TestingAuthenticationToken("user", "password", "ROLE_GENERAL");
    auth.setAuthenticated(true);
    SecurityContextHolder.getContext().setAuthentication(auth);
    ObjectIdentity identity = new ObjectIdentityImpl(TARGET_CLASS, new Long(100));
    // Authorization strategy will require a different role for each access
    AclAuthorizationStrategy aclAuthorizationStrategy = new AclAuthorizationStrategyImpl(new SimpleGrantedAuthority("ROLE_OWNERSHIP"), new SimpleGrantedAuthority("ROLE_AUDITING"), new SimpleGrantedAuthority("ROLE_GENERAL"));
    // Let's give the principal the ADMINISTRATION permission, without
    // granting access
    MutableAcl aclFirstDeny = new AclImpl(identity, new Long(1), aclAuthorizationStrategy, new ConsoleAuditLogger());
    aclFirstDeny.insertAce(0, BasePermission.ADMINISTRATION, new PrincipalSid(auth), false);
    // The CHANGE_GENERAL test should pass as the principal has ROLE_GENERAL
    aclAuthorizationStrategy.securityCheck(aclFirstDeny, AclAuthorizationStrategy.CHANGE_GENERAL);
    // nor granting access
    try {
        aclAuthorizationStrategy.securityCheck(aclFirstDeny, AclAuthorizationStrategy.CHANGE_AUDITING);
        fail("It should have thrown AccessDeniedException");
    } catch (AccessDeniedException expected) {
    }
    try {
        aclAuthorizationStrategy.securityCheck(aclFirstDeny, AclAuthorizationStrategy.CHANGE_OWNERSHIP);
        fail("It should have thrown AccessDeniedException");
    } catch (AccessDeniedException expected) {
    }
    // Add granting access to this principal
    aclFirstDeny.insertAce(1, BasePermission.ADMINISTRATION, new PrincipalSid(auth), true);
    // (false) will deny this access
    try {
        aclAuthorizationStrategy.securityCheck(aclFirstDeny, AclAuthorizationStrategy.CHANGE_AUDITING);
        fail("It should have thrown AccessDeniedException");
    } catch (AccessDeniedException expected) {
    }
    // Create another ACL and give the principal the ADMINISTRATION
    // permission, with granting access
    MutableAcl aclFirstAllow = new AclImpl(identity, new Long(1), aclAuthorizationStrategy, new ConsoleAuditLogger());
    aclFirstAllow.insertAce(0, BasePermission.ADMINISTRATION, new PrincipalSid(auth), true);
    // The CHANGE_AUDITING test should pass as there is one ACE with
    // granting access
    aclAuthorizationStrategy.securityCheck(aclFirstAllow, AclAuthorizationStrategy.CHANGE_AUDITING);
    // Add a deny ACE and test again for CHANGE_AUDITING
    aclFirstAllow.insertAce(1, BasePermission.ADMINISTRATION, new PrincipalSid(auth), false);
    try {
        aclAuthorizationStrategy.securityCheck(aclFirstAllow, AclAuthorizationStrategy.CHANGE_AUDITING);
    } catch (AccessDeniedException notExpected) {
        fail("It shouldn't have thrown AccessDeniedException");
    }
    // Create an ACL with no ACE
    MutableAcl aclNoACE = new AclImpl(identity, new Long(1), aclAuthorizationStrategy, new ConsoleAuditLogger());
    try {
        aclAuthorizationStrategy.securityCheck(aclNoACE, AclAuthorizationStrategy.CHANGE_AUDITING);
        fail("It should have thrown NotFoundException");
    } catch (NotFoundException expected) {
    }
    // and still grant access for CHANGE_GENERAL
    try {
        aclAuthorizationStrategy.securityCheck(aclNoACE, AclAuthorizationStrategy.CHANGE_GENERAL);
    } catch (NotFoundException expected) {
        fail("It shouldn't have thrown NotFoundException");
    }
}
Also used : AccessDeniedException(org.springframework.security.access.AccessDeniedException) NotFoundException(org.springframework.security.acls.model.NotFoundException) TestingAuthenticationToken(org.springframework.security.authentication.TestingAuthenticationToken) SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority) ObjectIdentity(org.springframework.security.acls.model.ObjectIdentity) Authentication(org.springframework.security.core.Authentication) MutableAcl(org.springframework.security.acls.model.MutableAcl)

Example 3 with ObjectIdentity

use of org.springframework.security.acls.model.ObjectIdentity in project spring-security by spring-projects.

the class AclImplementationSecurityCheckTests method testSecurityCheckPrincipalOwner.

@Test
public void testSecurityCheckPrincipalOwner() throws Exception {
    Authentication auth = new TestingAuthenticationToken("user", "password", "ROLE_ONE");
    auth.setAuthenticated(true);
    SecurityContextHolder.getContext().setAuthentication(auth);
    ObjectIdentity identity = new ObjectIdentityImpl(TARGET_CLASS, 100);
    AclAuthorizationStrategy aclAuthorizationStrategy = new AclAuthorizationStrategyImpl(new SimpleGrantedAuthority("ROLE_OWNERSHIP"), new SimpleGrantedAuthority("ROLE_AUDITING"), new SimpleGrantedAuthority("ROLE_GENERAL"));
    Acl acl = new AclImpl(identity, 1, aclAuthorizationStrategy, new DefaultPermissionGrantingStrategy(new ConsoleAuditLogger()), null, null, false, new PrincipalSid(auth));
    try {
        aclAuthorizationStrategy.securityCheck(acl, AclAuthorizationStrategy.CHANGE_GENERAL);
    } catch (AccessDeniedException notExpected) {
        fail("It shouldn't have thrown AccessDeniedException");
    }
    try {
        aclAuthorizationStrategy.securityCheck(acl, AclAuthorizationStrategy.CHANGE_AUDITING);
        fail("It shouldn't have thrown AccessDeniedException");
    } catch (NotFoundException expected) {
    }
    try {
        aclAuthorizationStrategy.securityCheck(acl, AclAuthorizationStrategy.CHANGE_OWNERSHIP);
    } catch (AccessDeniedException notExpected) {
        fail("It shouldn't have thrown AccessDeniedException");
    }
}
Also used : AccessDeniedException(org.springframework.security.access.AccessDeniedException) NotFoundException(org.springframework.security.acls.model.NotFoundException) MutableAcl(org.springframework.security.acls.model.MutableAcl) Acl(org.springframework.security.acls.model.Acl) TestingAuthenticationToken(org.springframework.security.authentication.TestingAuthenticationToken) SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority) ObjectIdentity(org.springframework.security.acls.model.ObjectIdentity) Authentication(org.springframework.security.core.Authentication)

Example 4 with ObjectIdentity

use of org.springframework.security.acls.model.ObjectIdentity in project spring-security by spring-projects.

the class AclImplementationSecurityCheckTests method testSecurityCheckWithInheritableACEs.

@Test
public void testSecurityCheckWithInheritableACEs() throws Exception {
    // Create a simple authentication with ROLE_GENERAL
    Authentication auth = new TestingAuthenticationToken("user", "password", "ROLE_GENERAL");
    auth.setAuthenticated(true);
    SecurityContextHolder.getContext().setAuthentication(auth);
    ObjectIdentity identity = new ObjectIdentityImpl(TARGET_CLASS, 100);
    // Authorization strategy will require a different role for each access
    AclAuthorizationStrategy aclAuthorizationStrategy = new AclAuthorizationStrategyImpl(new SimpleGrantedAuthority("ROLE_ONE"), new SimpleGrantedAuthority("ROLE_TWO"), new SimpleGrantedAuthority("ROLE_GENERAL"));
    // Let's give the principal an ADMINISTRATION permission, with granting
    // access
    MutableAcl parentAcl = new AclImpl(identity, 1, aclAuthorizationStrategy, new ConsoleAuditLogger());
    parentAcl.insertAce(0, BasePermission.ADMINISTRATION, new PrincipalSid(auth), true);
    MutableAcl childAcl = new AclImpl(identity, 2, aclAuthorizationStrategy, new ConsoleAuditLogger());
    // rights on CHANGE_OWNERSHIP
    try {
        aclAuthorizationStrategy.securityCheck(childAcl, AclAuthorizationStrategy.CHANGE_OWNERSHIP);
        fail("It should have thrown NotFoundException");
    } catch (NotFoundException expected) {
    }
    // Link the child with its parent and test again against the
    // CHANGE_OWNERSHIP right
    childAcl.setParent(parentAcl);
    childAcl.setEntriesInheriting(true);
    try {
        aclAuthorizationStrategy.securityCheck(childAcl, AclAuthorizationStrategy.CHANGE_OWNERSHIP);
    } catch (NotFoundException expected) {
        fail("It shouldn't have thrown NotFoundException");
    }
    // Create a root parent and link it to the middle parent
    MutableAcl rootParentAcl = new AclImpl(identity, 1, aclAuthorizationStrategy, new ConsoleAuditLogger());
    parentAcl = new AclImpl(identity, 1, aclAuthorizationStrategy, new ConsoleAuditLogger());
    rootParentAcl.insertAce(0, BasePermission.ADMINISTRATION, new PrincipalSid(auth), true);
    parentAcl.setEntriesInheriting(true);
    parentAcl.setParent(rootParentAcl);
    childAcl.setParent(parentAcl);
    try {
        aclAuthorizationStrategy.securityCheck(childAcl, AclAuthorizationStrategy.CHANGE_OWNERSHIP);
    } catch (NotFoundException expected) {
        fail("It shouldn't have thrown NotFoundException");
    }
}
Also used : SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority) ObjectIdentity(org.springframework.security.acls.model.ObjectIdentity) Authentication(org.springframework.security.core.Authentication) NotFoundException(org.springframework.security.acls.model.NotFoundException) MutableAcl(org.springframework.security.acls.model.MutableAcl) TestingAuthenticationToken(org.springframework.security.authentication.TestingAuthenticationToken)

Example 5 with ObjectIdentity

use of org.springframework.security.acls.model.ObjectIdentity in project spring-security by spring-projects.

the class BasicLookupStrategyTests method testAclsRetrievalWithDefaultBatchSize.

@Test
public void testAclsRetrievalWithDefaultBatchSize() throws Exception {
    ObjectIdentity topParentOid = new ObjectIdentityImpl(TARGET_CLASS, new Long(100));
    ObjectIdentity middleParentOid = new ObjectIdentityImpl(TARGET_CLASS, new Long(101));
    // Deliberately use an integer for the child, to reproduce bug report in
    // SEC-819
    ObjectIdentity childOid = new ObjectIdentityImpl(TARGET_CLASS, Integer.valueOf(102));
    Map<ObjectIdentity, Acl> map = this.strategy.readAclsById(Arrays.asList(topParentOid, middleParentOid, childOid), null);
    checkEntries(topParentOid, middleParentOid, childOid, map);
}
Also used : ObjectIdentity(org.springframework.security.acls.model.ObjectIdentity) Acl(org.springframework.security.acls.model.Acl) MutableAcl(org.springframework.security.acls.model.MutableAcl)

Aggregations

ObjectIdentity (org.springframework.security.acls.model.ObjectIdentity)46 MutableAcl (org.springframework.security.acls.model.MutableAcl)22 Test (org.junit.Test)21 ObjectIdentityImpl (org.springframework.security.acls.domain.ObjectIdentityImpl)19 Acl (org.springframework.security.acls.model.Acl)16 Authentication (org.springframework.security.core.Authentication)12 Sid (org.springframework.security.acls.model.Sid)11 NotFoundException (org.springframework.security.acls.model.NotFoundException)10 TestingAuthenticationToken (org.springframework.security.authentication.TestingAuthenticationToken)8 SimpleGrantedAuthority (org.springframework.security.core.authority.SimpleGrantedAuthority)8 Permission (org.springframework.security.acls.model.Permission)7 PrincipalSid (org.springframework.security.acls.domain.PrincipalSid)6 Transactional (org.springframework.transaction.annotation.Transactional)5 BasePermission (org.springframework.security.acls.domain.BasePermission)4 ObjectIdentityRetrievalStrategy (org.springframework.security.acls.model.ObjectIdentityRetrievalStrategy)4 HashMap (java.util.HashMap)3 GrantedAuthoritySid (org.springframework.security.acls.domain.GrantedAuthoritySid)3 AccessControlEntry (org.springframework.security.acls.model.AccessControlEntry)3 AclService (org.springframework.security.acls.model.AclService)3 SidRetrievalStrategy (org.springframework.security.acls.model.SidRetrievalStrategy)3