Search in sources :

Example 41 with ObjectIdentity

use of org.springframework.security.acls.model.ObjectIdentity in project spring-security by spring-projects.

the class SpringCacheBasedAclCacheTests method cacheOperationsAclWithoutParent.

@SuppressWarnings("rawtypes")
@Test
public void cacheOperationsAclWithoutParent() throws Exception {
    Cache cache = getCache();
    Map realCache = (Map) cache.getNativeCache();
    ObjectIdentity identity = new ObjectIdentityImpl(TARGET_CLASS, Long.valueOf(100));
    AclAuthorizationStrategy aclAuthorizationStrategy = new AclAuthorizationStrategyImpl(new SimpleGrantedAuthority("ROLE_OWNERSHIP"), new SimpleGrantedAuthority("ROLE_AUDITING"), new SimpleGrantedAuthority("ROLE_GENERAL"));
    AuditLogger auditLogger = new ConsoleAuditLogger();
    PermissionGrantingStrategy permissionGrantingStrategy = new DefaultPermissionGrantingStrategy(auditLogger);
    SpringCacheBasedAclCache myCache = new SpringCacheBasedAclCache(cache, permissionGrantingStrategy, aclAuthorizationStrategy);
    MutableAcl acl = new AclImpl(identity, Long.valueOf(1), aclAuthorizationStrategy, auditLogger);
    assertThat(realCache).isEmpty();
    myCache.putInCache(acl);
    // Check we can get from cache the same objects we put in
    assertThat(acl).isEqualTo(myCache.getFromCache(Long.valueOf(1)));
    assertThat(acl).isEqualTo(myCache.getFromCache(identity));
    // Put another object in cache
    ObjectIdentity identity2 = new ObjectIdentityImpl(TARGET_CLASS, Long.valueOf(101));
    MutableAcl acl2 = new AclImpl(identity2, Long.valueOf(2), aclAuthorizationStrategy, new ConsoleAuditLogger());
    myCache.putInCache(acl2);
    // Try to evict an entry that doesn't exist
    myCache.evictFromCache(Long.valueOf(3));
    myCache.evictFromCache(new ObjectIdentityImpl(TARGET_CLASS, Long.valueOf(102)));
    assertThat(4).isEqualTo(realCache.size());
    myCache.evictFromCache(Long.valueOf(1));
    assertThat(2).isEqualTo(realCache.size());
    // Check the second object inserted
    assertThat(acl2).isEqualTo(myCache.getFromCache(Long.valueOf(2)));
    assertThat(acl2).isEqualTo(myCache.getFromCache(identity2));
    myCache.evictFromCache(identity2);
    assertThat(0).isEqualTo(realCache.size());
}
Also used : SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority) PermissionGrantingStrategy(org.springframework.security.acls.model.PermissionGrantingStrategy) ObjectIdentity(org.springframework.security.acls.model.ObjectIdentity) MutableAcl(org.springframework.security.acls.model.MutableAcl) Map(java.util.Map) Cache(org.springframework.cache.Cache) Test(org.junit.Test)

Example 42 with ObjectIdentity

use of org.springframework.security.acls.model.ObjectIdentity in project spring-security by spring-projects.

the class ContactManagerBackend method deletePermission.

public void deletePermission(Contact contact, Sid recipient, Permission permission) {
    ObjectIdentity oid = new ObjectIdentityImpl(Contact.class, contact.getId());
    MutableAcl acl = (MutableAcl) mutableAclService.readAclById(oid);
    // Remove all permissions associated with this particular recipient (string
    // equality to KISS)
    List<AccessControlEntry> entries = acl.getEntries();
    for (int i = 0; i < entries.size(); i++) {
        if (entries.get(i).getSid().equals(recipient) && entries.get(i).getPermission().equals(permission)) {
            acl.deleteAce(i);
        }
    }
    mutableAclService.updateAcl(acl);
    if (logger.isDebugEnabled()) {
        logger.debug("Deleted contact " + contact + " ACL permissions for recipient " + recipient);
    }
}
Also used : ObjectIdentity(org.springframework.security.acls.model.ObjectIdentity) ObjectIdentityImpl(org.springframework.security.acls.domain.ObjectIdentityImpl) AccessControlEntry(org.springframework.security.acls.model.AccessControlEntry) MutableAcl(org.springframework.security.acls.model.MutableAcl)

Example 43 with ObjectIdentity

use of org.springframework.security.acls.model.ObjectIdentity in project spring-security by spring-projects.

the class ContactManagerBackend method delete.

public void delete(Contact contact) {
    contactDao.delete(contact.getId());
    // Delete the ACL information as well
    ObjectIdentity oid = new ObjectIdentityImpl(Contact.class, contact.getId());
    mutableAclService.deleteAcl(oid, false);
    if (logger.isDebugEnabled()) {
        logger.debug("Deleted contact " + contact + " including ACL permissions");
    }
}
Also used : ObjectIdentity(org.springframework.security.acls.model.ObjectIdentity) ObjectIdentityImpl(org.springframework.security.acls.domain.ObjectIdentityImpl)

Example 44 with ObjectIdentity

use of org.springframework.security.acls.model.ObjectIdentity in project spring-security by spring-projects.

the class DataSourcePopulator method afterPropertiesSet.

// ~ Methods
// ========================================================================================================
public void afterPropertiesSet() throws Exception {
    Assert.notNull(mutableAclService, "mutableAclService required");
    Assert.notNull(template, "dataSource required");
    Assert.notNull(tt, "platformTransactionManager required");
    // Set a user account that will initially own all the created data
    Authentication authRequest = new UsernamePasswordAuthenticationToken("rod", "koala", AuthorityUtils.createAuthorityList("ROLE_IGNORED"));
    SecurityContextHolder.getContext().setAuthentication(authRequest);
    try {
        template.execute("DROP TABLE CONTACTS");
        template.execute("DROP TABLE AUTHORITIES");
        template.execute("DROP TABLE USERS");
        template.execute("DROP TABLE ACL_ENTRY");
        template.execute("DROP TABLE ACL_OBJECT_IDENTITY");
        template.execute("DROP TABLE ACL_CLASS");
        template.execute("DROP TABLE ACL_SID");
    } catch (Exception e) {
        System.out.println("Failed to drop tables: " + e.getMessage());
    }
    template.execute("CREATE TABLE ACL_SID(" + "ID BIGINT GENERATED BY DEFAULT AS IDENTITY(START WITH 100) NOT NULL PRIMARY KEY," + "PRINCIPAL BOOLEAN NOT NULL," + "SID VARCHAR_IGNORECASE(100) NOT NULL," + "CONSTRAINT UNIQUE_UK_1 UNIQUE(SID,PRINCIPAL));");
    template.execute("CREATE TABLE ACL_CLASS(" + "ID BIGINT GENERATED BY DEFAULT AS IDENTITY(START WITH 100) NOT NULL PRIMARY KEY," + "CLASS VARCHAR_IGNORECASE(100) NOT NULL," + "CONSTRAINT UNIQUE_UK_2 UNIQUE(CLASS));");
    template.execute("CREATE TABLE ACL_OBJECT_IDENTITY(" + "ID BIGINT GENERATED BY DEFAULT AS IDENTITY(START WITH 100) NOT NULL PRIMARY KEY," + "OBJECT_ID_CLASS BIGINT NOT NULL," + "OBJECT_ID_IDENTITY BIGINT NOT NULL," + "PARENT_OBJECT BIGINT," + "OWNER_SID BIGINT," + "ENTRIES_INHERITING BOOLEAN NOT NULL," + "CONSTRAINT UNIQUE_UK_3 UNIQUE(OBJECT_ID_CLASS,OBJECT_ID_IDENTITY)," + "CONSTRAINT FOREIGN_FK_1 FOREIGN KEY(PARENT_OBJECT)REFERENCES ACL_OBJECT_IDENTITY(ID)," + "CONSTRAINT FOREIGN_FK_2 FOREIGN KEY(OBJECT_ID_CLASS)REFERENCES ACL_CLASS(ID)," + "CONSTRAINT FOREIGN_FK_3 FOREIGN KEY(OWNER_SID)REFERENCES ACL_SID(ID));");
    template.execute("CREATE TABLE ACL_ENTRY(" + "ID BIGINT GENERATED BY DEFAULT AS IDENTITY(START WITH 100) NOT NULL PRIMARY KEY," + "ACL_OBJECT_IDENTITY BIGINT NOT NULL,ACE_ORDER INT NOT NULL,SID BIGINT NOT NULL," + "MASK INTEGER NOT NULL,GRANTING BOOLEAN NOT NULL,AUDIT_SUCCESS BOOLEAN NOT NULL," + "AUDIT_FAILURE BOOLEAN NOT NULL,CONSTRAINT UNIQUE_UK_4 UNIQUE(ACL_OBJECT_IDENTITY,ACE_ORDER)," + "CONSTRAINT FOREIGN_FK_4 FOREIGN KEY(ACL_OBJECT_IDENTITY) REFERENCES ACL_OBJECT_IDENTITY(ID)," + "CONSTRAINT FOREIGN_FK_5 FOREIGN KEY(SID) REFERENCES ACL_SID(ID));");
    template.execute("CREATE TABLE USERS(USERNAME VARCHAR_IGNORECASE(50) NOT NULL PRIMARY KEY,PASSWORD VARCHAR_IGNORECASE(500) NOT NULL,ENABLED BOOLEAN NOT NULL);");
    template.execute("CREATE TABLE AUTHORITIES(USERNAME VARCHAR_IGNORECASE(50) NOT NULL,AUTHORITY VARCHAR_IGNORECASE(50) NOT NULL,CONSTRAINT FK_AUTHORITIES_USERS FOREIGN KEY(USERNAME) REFERENCES USERS(USERNAME));");
    template.execute("CREATE UNIQUE INDEX IX_AUTH_USERNAME ON AUTHORITIES(USERNAME,AUTHORITY);");
    template.execute("CREATE TABLE CONTACTS(ID BIGINT NOT NULL PRIMARY KEY, CONTACT_NAME VARCHAR_IGNORECASE(50) NOT NULL, EMAIL VARCHAR_IGNORECASE(50) NOT NULL)");
    /*
		 * Passwords encoded using MD5, NOT in Base64 format, with null as salt Encoded
		 * password for rod is "koala" Encoded password for dianne is "emu" Encoded
		 * password for scott is "wombat" Encoded password for peter is "opal" (but user
		 * is disabled) Encoded password for bill is "wombat" Encoded password for bob is
		 * "wombat" Encoded password for jane is "wombat"
		 */
    template.execute("INSERT INTO USERS VALUES('rod','$2a$10$75pBjapg4Nl8Pzd.3JRnUe7PDJmk9qBGwNEJDAlA3V.dEJxcDKn5O',TRUE);");
    template.execute("INSERT INTO USERS VALUES('dianne','$2a$04$bCMEyxrdF/7sgfUiUJ6Ose2vh9DAMaVBldS1Bw2fhi1jgutZrr9zm',TRUE);");
    template.execute("INSERT INTO USERS VALUES('scott','$2a$06$eChwvzAu3TSexnC3ynw4LOSw1qiEbtNItNeYv5uI40w1i3paoSfLu',TRUE);");
    template.execute("INSERT INTO USERS VALUES('peter','$2a$04$8.H8bCMROLF4CIgd7IpeQ.tcBXLP5w8iplO0n.kCIkISwrIgX28Ii',FALSE);");
    template.execute("INSERT INTO USERS VALUES('bill','$2a$04$8.H8bCMROLF4CIgd7IpeQ.3khQlPVNWbp8kzSQqidQHGFurim7P8O',TRUE);");
    template.execute("INSERT INTO USERS VALUES('bob','$2a$06$zMgxlMf01SfYNcdx7n4NpeFlAGU8apCETz/i2C7VlYWu6IcNyn4Ay',TRUE);");
    template.execute("INSERT INTO USERS VALUES('jane','$2a$05$ZrdS7yMhCZ1J.AAidXZhCOxdjD8LO/dhlv4FJzkXA6xh9gdEbBT/u',TRUE);");
    template.execute("INSERT INTO AUTHORITIES VALUES('rod','ROLE_USER');");
    template.execute("INSERT INTO AUTHORITIES VALUES('rod','ROLE_SUPERVISOR');");
    template.execute("INSERT INTO AUTHORITIES VALUES('dianne','ROLE_USER');");
    template.execute("INSERT INTO AUTHORITIES VALUES('scott','ROLE_USER');");
    template.execute("INSERT INTO AUTHORITIES VALUES('peter','ROLE_USER');");
    template.execute("INSERT INTO AUTHORITIES VALUES('bill','ROLE_USER');");
    template.execute("INSERT INTO AUTHORITIES VALUES('bob','ROLE_USER');");
    template.execute("INSERT INTO AUTHORITIES VALUES('jane','ROLE_USER');");
    template.execute("INSERT INTO contacts VALUES (1, 'John Smith', 'john@somewhere.com');");
    template.execute("INSERT INTO contacts VALUES (2, 'Michael Citizen', 'michael@xyz.com');");
    template.execute("INSERT INTO contacts VALUES (3, 'Joe Bloggs', 'joe@demo.com');");
    template.execute("INSERT INTO contacts VALUES (4, 'Karen Sutherland', 'karen@sutherland.com');");
    template.execute("INSERT INTO contacts VALUES (5, 'Mitchell Howard', 'mitchell@abcdef.com');");
    template.execute("INSERT INTO contacts VALUES (6, 'Rose Costas', 'rose@xyz.com');");
    template.execute("INSERT INTO contacts VALUES (7, 'Amanda Smith', 'amanda@abcdef.com');");
    template.execute("INSERT INTO contacts VALUES (8, 'Cindy Smith', 'cindy@smith.com');");
    template.execute("INSERT INTO contacts VALUES (9, 'Jonathan Citizen', 'jonathan@xyz.com');");
    for (int i = 10; i < createEntities; i++) {
        String[] person = selectPerson();
        template.execute("INSERT INTO contacts VALUES (" + i + ", '" + person[2] + "', '" + person[0].toLowerCase() + "@" + person[1].toLowerCase() + ".com');");
    }
    // Create acl_object_identity rows (and also acl_class rows as needed
    for (int i = 1; i < createEntities; i++) {
        final ObjectIdentity objectIdentity = new ObjectIdentityImpl(Contact.class, new Long(i));
        tt.execute(new TransactionCallback<Object>() {

            public Object doInTransaction(TransactionStatus arg0) {
                mutableAclService.createAcl(objectIdentity);
                return null;
            }
        });
    }
    // Now grant some permissions
    grantPermissions(1, "rod", BasePermission.ADMINISTRATION);
    grantPermissions(2, "rod", BasePermission.READ);
    grantPermissions(3, "rod", BasePermission.READ);
    grantPermissions(3, "rod", BasePermission.WRITE);
    grantPermissions(3, "rod", BasePermission.DELETE);
    grantPermissions(4, "rod", BasePermission.ADMINISTRATION);
    grantPermissions(4, "dianne", BasePermission.ADMINISTRATION);
    grantPermissions(4, "scott", BasePermission.READ);
    grantPermissions(5, "dianne", BasePermission.ADMINISTRATION);
    grantPermissions(5, "dianne", BasePermission.READ);
    grantPermissions(6, "dianne", BasePermission.READ);
    grantPermissions(6, "dianne", BasePermission.WRITE);
    grantPermissions(6, "dianne", BasePermission.DELETE);
    grantPermissions(6, "scott", BasePermission.READ);
    grantPermissions(7, "scott", BasePermission.ADMINISTRATION);
    grantPermissions(8, "dianne", BasePermission.ADMINISTRATION);
    grantPermissions(8, "dianne", BasePermission.READ);
    grantPermissions(8, "scott", BasePermission.READ);
    grantPermissions(9, "scott", BasePermission.ADMINISTRATION);
    grantPermissions(9, "scott", BasePermission.READ);
    grantPermissions(9, "scott", BasePermission.WRITE);
    grantPermissions(9, "scott", BasePermission.DELETE);
    // Now expressly change the owner of the first ten contacts
    // We have to do this last, because "rod" owns all of them (doing it sooner would
    // prevent ACL updates)
    // Note that ownership has no impact on permissions - they're separate (ownership
    // only allows ACl editing)
    changeOwner(5, "dianne");
    changeOwner(6, "dianne");
    changeOwner(7, "scott");
    changeOwner(8, "dianne");
    changeOwner(9, "scott");
    // don't want to mess around with
    String[] users = { "bill", "bob", "jane" };
    // consistent sample data
    Permission[] permissions = { BasePermission.ADMINISTRATION, BasePermission.READ, BasePermission.DELETE };
    for (int i = 10; i < createEntities; i++) {
        String user = users[rnd.nextInt(users.length)];
        Permission permission = permissions[rnd.nextInt(permissions.length)];
        grantPermissions(i, user, permission);
        String user2 = users[rnd.nextInt(users.length)];
        Permission permission2 = permissions[rnd.nextInt(permissions.length)];
        grantPermissions(i, user2, permission2);
    }
    SecurityContextHolder.clearContext();
}
Also used : ObjectIdentityImpl(org.springframework.security.acls.domain.ObjectIdentityImpl) TransactionStatus(org.springframework.transaction.TransactionStatus) UsernamePasswordAuthenticationToken(org.springframework.security.authentication.UsernamePasswordAuthenticationToken) ObjectIdentity(org.springframework.security.acls.model.ObjectIdentity) Authentication(org.springframework.security.core.Authentication) Permission(org.springframework.security.acls.model.Permission) BasePermission(org.springframework.security.acls.domain.BasePermission)

Example 45 with ObjectIdentity

use of org.springframework.security.acls.model.ObjectIdentity in project spring-security by spring-projects.

the class SecureDataSourcePopulator method addPermission.

protected void addPermission(DocumentDao documentDao, AbstractElement element, String recipient, int level) {
    Assert.notNull(documentDao, "DocumentDao required");
    Assert.isInstanceOf(SecureDocumentDao.class, documentDao, "DocumentDao should have been a SecureDocumentDao");
    Assert.notNull(element, "Element required");
    Assert.hasText(recipient, "Recipient required");
    Assert.notNull(SecurityContextHolder.getContext().getAuthentication(), "SecurityContextHolder must contain an Authentication");
    // We need SecureDocumentDao to assign different permissions
    // SecureDocumentDao dao = (SecureDocumentDao) documentDao;
    // We need to construct an ACL-specific Sid. Note the prefix contract is defined
    // on the superclass method's JavaDocs
    Sid sid = null;
    if (recipient.startsWith("ROLE_")) {
        sid = new GrantedAuthoritySid(recipient);
    } else {
        sid = new PrincipalSid(recipient);
    }
    // We need to identify the target domain object and create an ObjectIdentity for
    // it
    // This works because AbstractElement has a "getId()" method
    ObjectIdentity identity = new ObjectIdentityImpl(element);
    // ObjectIdentity identity = new ObjectIdentityImpl(element.getClass(),
    // element.getId()); // equivalent
    // Next we need to create a Permission
    Permission permission = null;
    if (level == LEVEL_NEGATE_READ || level == LEVEL_GRANT_READ) {
        permission = BasePermission.READ;
    } else if (level == LEVEL_GRANT_WRITE) {
        permission = BasePermission.WRITE;
    } else if (level == LEVEL_GRANT_ADMIN) {
        permission = BasePermission.ADMINISTRATION;
    } else {
        throw new IllegalArgumentException("Unsupported LEVEL_");
    }
    // Attempt to retrieve the existing ACL, creating an ACL if it doesn't already
    // exist for this ObjectIdentity
    MutableAcl acl = null;
    try {
        acl = (MutableAcl) aclService.readAclById(identity);
    } catch (NotFoundException nfe) {
        acl = aclService.createAcl(identity);
        Assert.notNull(acl, "Acl could not be retrieved or created");
    }
    // Now we have an ACL, add another ACE to it
    if (level == LEVEL_NEGATE_READ) {
        // not
        acl.insertAce(acl.getEntries().size(), permission, sid, false);
    // granting
    } else {
        // granting
        acl.insertAce(acl.getEntries().size(), permission, sid, true);
    }
    // Finally, persist the modified ACL
    aclService.updateAcl(acl);
}
Also used : ObjectIdentity(org.springframework.security.acls.model.ObjectIdentity) GrantedAuthoritySid(org.springframework.security.acls.domain.GrantedAuthoritySid) ObjectIdentityImpl(org.springframework.security.acls.domain.ObjectIdentityImpl) Permission(org.springframework.security.acls.model.Permission) BasePermission(org.springframework.security.acls.domain.BasePermission) NotFoundException(org.springframework.security.acls.model.NotFoundException) MutableAcl(org.springframework.security.acls.model.MutableAcl) PrincipalSid(org.springframework.security.acls.domain.PrincipalSid) Sid(org.springframework.security.acls.model.Sid) GrantedAuthoritySid(org.springframework.security.acls.domain.GrantedAuthoritySid) PrincipalSid(org.springframework.security.acls.domain.PrincipalSid)

Aggregations

ObjectIdentity (org.springframework.security.acls.model.ObjectIdentity)46 MutableAcl (org.springframework.security.acls.model.MutableAcl)22 Test (org.junit.Test)21 ObjectIdentityImpl (org.springframework.security.acls.domain.ObjectIdentityImpl)19 Acl (org.springframework.security.acls.model.Acl)16 Authentication (org.springframework.security.core.Authentication)12 Sid (org.springframework.security.acls.model.Sid)11 NotFoundException (org.springframework.security.acls.model.NotFoundException)10 TestingAuthenticationToken (org.springframework.security.authentication.TestingAuthenticationToken)8 SimpleGrantedAuthority (org.springframework.security.core.authority.SimpleGrantedAuthority)8 Permission (org.springframework.security.acls.model.Permission)7 PrincipalSid (org.springframework.security.acls.domain.PrincipalSid)6 Transactional (org.springframework.transaction.annotation.Transactional)5 BasePermission (org.springframework.security.acls.domain.BasePermission)4 ObjectIdentityRetrievalStrategy (org.springframework.security.acls.model.ObjectIdentityRetrievalStrategy)4 HashMap (java.util.HashMap)3 GrantedAuthoritySid (org.springframework.security.acls.domain.GrantedAuthoritySid)3 AccessControlEntry (org.springframework.security.acls.model.AccessControlEntry)3 AclService (org.springframework.security.acls.model.AclService)3 SidRetrievalStrategy (org.springframework.security.acls.model.SidRetrievalStrategy)3