use of org.springframework.security.acls.model.Permission in project spring-security by spring-projects.
the class AdminPermissionController method addPermission.
/**
* Handles submission of the "add permission" form.
*/
@RequestMapping(value = "/secure/addPermission.htm", method = RequestMethod.POST)
public String addPermission(AddPermission addPermission, BindingResult result, ModelMap model) {
addPermissionValidator.validate(addPermission, result);
if (result.hasErrors()) {
model.put("recipients", listRecipients());
model.put("permissions", listPermissions());
return "addPermission";
}
PrincipalSid sid = new PrincipalSid(addPermission.getRecipient());
Permission permission = permissionFactory.buildFromMask(addPermission.getPermission());
try {
contactManager.addPermission(addPermission.getContact(), sid, permission);
} catch (DataAccessException existingPermission) {
existingPermission.printStackTrace();
result.rejectValue("recipient", "err.recipientExistsForContact", "Addition failure.");
model.put("recipients", listRecipients());
model.put("permissions", listPermissions());
return "addPermission";
}
return "redirect:/secure/index.htm";
}
use of org.springframework.security.acls.model.Permission in project spring-security by spring-projects.
the class AdminPermissionController method deletePermission.
/**
* Deletes a permission
*/
@RequestMapping(value = "/secure/deletePermission.htm")
public ModelAndView deletePermission(@RequestParam("contactId") int contactId, @RequestParam("sid") String sid, @RequestParam("permission") int mask) {
Contact contact = contactManager.getById(new Long(contactId));
Sid sidObject = new PrincipalSid(sid);
Permission permission = permissionFactory.buildFromMask(mask);
contactManager.deletePermission(contact, sidObject, permission);
Map<String, Object> model = new HashMap<String, Object>();
model.put("contact", contact);
model.put("sid", sidObject);
model.put("permission", permission);
return new ModelAndView("deletePermission", "model", model);
}
use of org.springframework.security.acls.model.Permission in project spring-security by spring-projects.
the class DefaultPermissionFactory method registerPublicPermissions.
/**
* Registers the public static fields of type {@link Permission} for a give class.
* <p>
* These permissions will be registered under the name of the field. See
* {@link BasePermission} for an example.
*
* @param clazz a {@link Permission} class with public static fields to register
*/
protected void registerPublicPermissions(Class<? extends Permission> clazz) {
Assert.notNull(clazz, "Class required");
Field[] fields = clazz.getFields();
for (Field field : fields) {
try {
Object fieldValue = field.get(null);
if (Permission.class.isAssignableFrom(fieldValue.getClass())) {
// Found a Permission static field
Permission perm = (Permission) fieldValue;
String permissionName = field.getName();
registerPermission(perm, permissionName);
}
} catch (Exception ignore) {
}
}
}
use of org.springframework.security.acls.model.Permission in project spring-security by spring-projects.
the class DefaultPermissionGrantingStrategy method isGranted.
/**
* Determines authorization. The order of the <code>permission</code> and
* <code>sid</code> arguments is <em>extremely important</em>! The method will iterate
* through each of the <code>permission</code>s in the order specified. For each
* iteration, all of the <code>sid</code>s will be considered, again in the order they
* are presented. A search will then be performed for the first
* {@link AccessControlEntry} object that directly matches that
* <code>permission:sid</code> combination. When the <em>first full match</em> is
* found (ie an ACE that has the SID currently being searched for and the exact
* permission bit mask being search for), the grant or deny flag for that ACE will
* prevail. If the ACE specifies to grant access, the method will return
* <code>true</code>. If the ACE specifies to deny access, the loop will stop and the
* next <code>permission</code> iteration will be performed. If each permission
* indicates to deny access, the first deny ACE found will be considered the reason
* for the failure (as it was the first match found, and is therefore the one most
* logically requiring changes - although not always). If absolutely no matching ACE
* was found at all for any permission, the parent ACL will be tried (provided that
* there is a parent and {@link Acl#isEntriesInheriting()} is <code>true</code>. The
* parent ACL will also scan its parent and so on. If ultimately no matching ACE is
* found, a <code>NotFoundException</code> will be thrown and the caller will need to
* decide how to handle the permission check. Similarly, if any of the SID arguments
* presented to the method were not loaded by the ACL,
* <code>UnloadedSidException</code> will be thrown.
*
* @param permission the exact permissions to scan for (order is important)
* @param sids the exact SIDs to scan for (order is important)
* @param administrativeMode if <code>true</code> denotes the query is for
* administrative purposes and no auditing will be undertaken
*
* @return <code>true</code> if one of the permissions has been granted,
* <code>false</code> if one of the permissions has been specifically revoked
*
* @throws NotFoundException if an exact ACE for one of the permission bit masks and
* SID combination could not be found
*/
public boolean isGranted(Acl acl, List<Permission> permission, List<Sid> sids, boolean administrativeMode) throws NotFoundException {
final List<AccessControlEntry> aces = acl.getEntries();
AccessControlEntry firstRejection = null;
for (Permission p : permission) {
for (Sid sid : sids) {
// Attempt to find exact match for this permission mask and SID
boolean scanNextSid = true;
for (AccessControlEntry ace : aces) {
if ((ace.getPermission().getMask() == p.getMask()) && ace.getSid().equals(sid)) {
// prevail
if (ace.isGranting()) {
// Success
if (!administrativeMode) {
auditLogger.logIfNeeded(true, ace);
}
return true;
}
// (this permission is 100% rejected for this SID)
if (firstRejection == null) {
// Store first rejection for auditing reasons
firstRejection = ace;
}
// helps break the loop
scanNextSid = false;
// exit aces loop
break;
}
}
if (!scanNextSid) {
// exit SID for loop (now try next permission)
break;
}
}
}
if (firstRejection != null) {
// other ACEs were found that granted a different permission
if (!administrativeMode) {
auditLogger.logIfNeeded(false, firstRejection);
}
return false;
}
// No matches have been found so far
if (acl.isEntriesInheriting() && (acl.getParentAcl() != null)) {
// We have a parent, so let them try to find a matching ACE
return acl.getParentAcl().isGranted(permission, sids, false);
} else {
// We either have no parent, or we're the uppermost parent
throw new NotFoundException("Unable to locate a matching ACE for passed permissions and SIDs");
}
}
use of org.springframework.security.acls.model.Permission in project spring-security by spring-projects.
the class AclPermissionEvaluator method resolvePermission.
List<Permission> resolvePermission(Object permission) {
if (permission instanceof Integer) {
return Arrays.asList(permissionFactory.buildFromMask(((Integer) permission).intValue()));
}
if (permission instanceof Permission) {
return Arrays.asList((Permission) permission);
}
if (permission instanceof Permission[]) {
return Arrays.asList((Permission[]) permission);
}
if (permission instanceof String) {
String permString = (String) permission;
Permission p;
try {
p = permissionFactory.buildFromName(permString);
} catch (IllegalArgumentException notfound) {
p = permissionFactory.buildFromName(permString.toUpperCase(Locale.ENGLISH));
}
if (p != null) {
return Arrays.asList(p);
}
}
throw new IllegalArgumentException("Unsupported permission: " + permission);
}
Aggregations