/** * Check expression constraint against action and principals. Note that * expression constraints without permissions, denials, are treated as * simply negative grants: they do not necessarily imply the expression * check will fail as they do when specified or referenced as security * constraints proper. * * @param action check action * @param userPrincipals check user principals * @param rolePrincipals check role principals * @param groupPrincipals check group principals * @param constraint check constraint * @return flag indicating permission grant */ private boolean checkExpressionConstraint(String action, List<String> userPrincipals, List<String> rolePrincipals, List<String> groupPrincipals, SecurityConstraintImpl constraint) { if (constraint.getPermissions() != null) { // permitted if action matches permissions and user/role/group match principals return (constraint.actionMatch(action) && constraint.principalsMatch(userPrincipals, rolePrincipals, groupPrincipals, true)); } else { // permissions not specified: not permitted if any principal matched return !constraint.principalsMatch(userPrincipals, rolePrincipals, groupPrincipals, false); } } }
if (constraint.getPermissions() != null)
if (constraint.getPermissions() != null)
if (constraint.getPermissions() != null)