Search in sources :

Example 1 with Permission

use of org.springframework.security.acls.model.Permission in project spring-security by spring-projects.

the class AdminPermissionController method addPermission.

/**
	 * Handles submission of the "add permission" form.
	 */
@RequestMapping(value = "/secure/addPermission.htm", method = RequestMethod.POST)
public String addPermission(AddPermission addPermission, BindingResult result, ModelMap model) {
    addPermissionValidator.validate(addPermission, result);
    if (result.hasErrors()) {
        model.put("recipients", listRecipients());
        model.put("permissions", listPermissions());
        return "addPermission";
    }
    PrincipalSid sid = new PrincipalSid(addPermission.getRecipient());
    Permission permission = permissionFactory.buildFromMask(addPermission.getPermission());
    try {
        contactManager.addPermission(addPermission.getContact(), sid, permission);
    } catch (DataAccessException existingPermission) {
        existingPermission.printStackTrace();
        result.rejectValue("recipient", "err.recipientExistsForContact", "Addition failure.");
        model.put("recipients", listRecipients());
        model.put("permissions", listPermissions());
        return "addPermission";
    }
    return "redirect:/secure/index.htm";
}
Also used : Permission(org.springframework.security.acls.model.Permission) BasePermission(org.springframework.security.acls.domain.BasePermission) PrincipalSid(org.springframework.security.acls.domain.PrincipalSid) DataAccessException(org.springframework.dao.DataAccessException) RequestMapping(org.springframework.web.bind.annotation.RequestMapping)

Example 2 with Permission

use of org.springframework.security.acls.model.Permission in project spring-security by spring-projects.

the class AdminPermissionController method deletePermission.

/**
	 * Deletes a permission
	 */
@RequestMapping(value = "/secure/deletePermission.htm")
public ModelAndView deletePermission(@RequestParam("contactId") int contactId, @RequestParam("sid") String sid, @RequestParam("permission") int mask) {
    Contact contact = contactManager.getById(new Long(contactId));
    Sid sidObject = new PrincipalSid(sid);
    Permission permission = permissionFactory.buildFromMask(mask);
    contactManager.deletePermission(contact, sidObject, permission);
    Map<String, Object> model = new HashMap<String, Object>();
    model.put("contact", contact);
    model.put("sid", sidObject);
    model.put("permission", permission);
    return new ModelAndView("deletePermission", "model", model);
}
Also used : HashMap(java.util.HashMap) LinkedHashMap(java.util.LinkedHashMap) Permission(org.springframework.security.acls.model.Permission) BasePermission(org.springframework.security.acls.domain.BasePermission) ModelAndView(org.springframework.web.servlet.ModelAndView) PrincipalSid(org.springframework.security.acls.domain.PrincipalSid) Sid(org.springframework.security.acls.model.Sid) PrincipalSid(org.springframework.security.acls.domain.PrincipalSid) RequestMapping(org.springframework.web.bind.annotation.RequestMapping)

Example 3 with Permission

use of org.springframework.security.acls.model.Permission in project spring-security by spring-projects.

the class DefaultPermissionFactory method registerPublicPermissions.

/**
	 * Registers the public static fields of type {@link Permission} for a give class.
	 * <p>
	 * These permissions will be registered under the name of the field. See
	 * {@link BasePermission} for an example.
	 *
	 * @param clazz a {@link Permission} class with public static fields to register
	 */
protected void registerPublicPermissions(Class<? extends Permission> clazz) {
    Assert.notNull(clazz, "Class required");
    Field[] fields = clazz.getFields();
    for (Field field : fields) {
        try {
            Object fieldValue = field.get(null);
            if (Permission.class.isAssignableFrom(fieldValue.getClass())) {
                // Found a Permission static field
                Permission perm = (Permission) fieldValue;
                String permissionName = field.getName();
                registerPermission(perm, permissionName);
            }
        } catch (Exception ignore) {
        }
    }
}
Also used : Field(java.lang.reflect.Field) Permission(org.springframework.security.acls.model.Permission)

Example 4 with Permission

use of org.springframework.security.acls.model.Permission in project spring-security by spring-projects.

the class DefaultPermissionGrantingStrategy method isGranted.

/**
	 * Determines authorization. The order of the <code>permission</code> and
	 * <code>sid</code> arguments is <em>extremely important</em>! The method will iterate
	 * through each of the <code>permission</code>s in the order specified. For each
	 * iteration, all of the <code>sid</code>s will be considered, again in the order they
	 * are presented. A search will then be performed for the first
	 * {@link AccessControlEntry} object that directly matches that
	 * <code>permission:sid</code> combination. When the <em>first full match</em> is
	 * found (ie an ACE that has the SID currently being searched for and the exact
	 * permission bit mask being search for), the grant or deny flag for that ACE will
	 * prevail. If the ACE specifies to grant access, the method will return
	 * <code>true</code>. If the ACE specifies to deny access, the loop will stop and the
	 * next <code>permission</code> iteration will be performed. If each permission
	 * indicates to deny access, the first deny ACE found will be considered the reason
	 * for the failure (as it was the first match found, and is therefore the one most
	 * logically requiring changes - although not always). If absolutely no matching ACE
	 * was found at all for any permission, the parent ACL will be tried (provided that
	 * there is a parent and {@link Acl#isEntriesInheriting()} is <code>true</code>. The
	 * parent ACL will also scan its parent and so on. If ultimately no matching ACE is
	 * found, a <code>NotFoundException</code> will be thrown and the caller will need to
	 * decide how to handle the permission check. Similarly, if any of the SID arguments
	 * presented to the method were not loaded by the ACL,
	 * <code>UnloadedSidException</code> will be thrown.
	 *
	 * @param permission the exact permissions to scan for (order is important)
	 * @param sids the exact SIDs to scan for (order is important)
	 * @param administrativeMode if <code>true</code> denotes the query is for
	 * administrative purposes and no auditing will be undertaken
	 *
	 * @return <code>true</code> if one of the permissions has been granted,
	 * <code>false</code> if one of the permissions has been specifically revoked
	 *
	 * @throws NotFoundException if an exact ACE for one of the permission bit masks and
	 * SID combination could not be found
	 */
public boolean isGranted(Acl acl, List<Permission> permission, List<Sid> sids, boolean administrativeMode) throws NotFoundException {
    final List<AccessControlEntry> aces = acl.getEntries();
    AccessControlEntry firstRejection = null;
    for (Permission p : permission) {
        for (Sid sid : sids) {
            // Attempt to find exact match for this permission mask and SID
            boolean scanNextSid = true;
            for (AccessControlEntry ace : aces) {
                if ((ace.getPermission().getMask() == p.getMask()) && ace.getSid().equals(sid)) {
                    // prevail
                    if (ace.isGranting()) {
                        // Success
                        if (!administrativeMode) {
                            auditLogger.logIfNeeded(true, ace);
                        }
                        return true;
                    }
                    // (this permission is 100% rejected for this SID)
                    if (firstRejection == null) {
                        // Store first rejection for auditing reasons
                        firstRejection = ace;
                    }
                    // helps break the loop
                    scanNextSid = false;
                    // exit aces loop
                    break;
                }
            }
            if (!scanNextSid) {
                // exit SID for loop (now try next permission)
                break;
            }
        }
    }
    if (firstRejection != null) {
        // other ACEs were found that granted a different permission
        if (!administrativeMode) {
            auditLogger.logIfNeeded(false, firstRejection);
        }
        return false;
    }
    // No matches have been found so far
    if (acl.isEntriesInheriting() && (acl.getParentAcl() != null)) {
        // We have a parent, so let them try to find a matching ACE
        return acl.getParentAcl().isGranted(permission, sids, false);
    } else {
        // We either have no parent, or we're the uppermost parent
        throw new NotFoundException("Unable to locate a matching ACE for passed permissions and SIDs");
    }
}
Also used : Permission(org.springframework.security.acls.model.Permission) AccessControlEntry(org.springframework.security.acls.model.AccessControlEntry) NotFoundException(org.springframework.security.acls.model.NotFoundException) Sid(org.springframework.security.acls.model.Sid)

Example 5 with Permission

use of org.springframework.security.acls.model.Permission in project spring-security by spring-projects.

the class AclPermissionEvaluator method resolvePermission.

List<Permission> resolvePermission(Object permission) {
    if (permission instanceof Integer) {
        return Arrays.asList(permissionFactory.buildFromMask(((Integer) permission).intValue()));
    }
    if (permission instanceof Permission) {
        return Arrays.asList((Permission) permission);
    }
    if (permission instanceof Permission[]) {
        return Arrays.asList((Permission[]) permission);
    }
    if (permission instanceof String) {
        String permString = (String) permission;
        Permission p;
        try {
            p = permissionFactory.buildFromName(permString);
        } catch (IllegalArgumentException notfound) {
            p = permissionFactory.buildFromName(permString.toUpperCase(Locale.ENGLISH));
        }
        if (p != null) {
            return Arrays.asList(p);
        }
    }
    throw new IllegalArgumentException("Unsupported permission: " + permission);
}
Also used : Permission(org.springframework.security.acls.model.Permission)

Aggregations

Permission (org.springframework.security.acls.model.Permission)14 Sid (org.springframework.security.acls.model.Sid)7 BasePermission (org.springframework.security.acls.domain.BasePermission)6 PrincipalSid (org.springframework.security.acls.domain.PrincipalSid)5 NotFoundException (org.springframework.security.acls.model.NotFoundException)5 ObjectIdentity (org.springframework.security.acls.model.ObjectIdentity)5 Test (org.junit.Test)4 MutableAcl (org.springframework.security.acls.model.MutableAcl)4 GrantedAuthoritySid (org.springframework.security.acls.domain.GrantedAuthoritySid)3 ObjectIdentityImpl (org.springframework.security.acls.domain.ObjectIdentityImpl)3 Acl (org.springframework.security.acls.model.Acl)3 CumulativePermission (org.springframework.security.acls.domain.CumulativePermission)2 AccessControlEntry (org.springframework.security.acls.model.AccessControlEntry)2 CustomSid (org.springframework.security.acls.sid.CustomSid)2 Authentication (org.springframework.security.core.Authentication)2 Transactional (org.springframework.transaction.annotation.Transactional)2 RequestMapping (org.springframework.web.bind.annotation.RequestMapping)2 Field (java.lang.reflect.Field)1 HashMap (java.util.HashMap)1 LinkedHashMap (java.util.LinkedHashMap)1