private boolean checkPermission(Authentication authentication, ObjectIdentity oid, Object permission) { // Obtain the SIDs applicable to the principal List<Sid> sids = sidRetrievalStrategy.getSids(authentication); List<Permission> requiredPermission = resolvePermission(permission); final boolean debug = logger.isDebugEnabled(); if (debug) { logger.debug("Checking permission '" + permission + "' for object '" + oid + "'"); } try { // Lookup only ACLs for SIDs we're interested in Acl acl = aclService.readAclById(oid, sids); if (acl.isGranted(requiredPermission, sids, false)) { if (debug) { logger.debug("Access is granted"); } return true; } if (debug) { logger.debug("Returning false - ACLs returned, but insufficient permissions for this principal"); } } catch (NotFoundException nfe) { if (debug) { logger.debug("Returning false - no ACLs apply for this principal"); } } return false; }
protected boolean hasPermission(Authentication authentication, Object domainObject) { // Obtain the OID applicable to the domain object ObjectIdentity objectIdentity = objectIdentityRetrievalStrategy .getObjectIdentity(domainObject); // Obtain the SIDs applicable to the principal List<Sid> sids = sidRetrievalStrategy.getSids(authentication); try { // Lookup only ACLs for SIDs we're interested in Acl acl = aclService.readAclById(objectIdentity, sids); return acl.isGranted(requirePermission, sids, false); } catch (NotFoundException ignore) { return false; } }
if (acl.isGranted(Arrays.asList(BasePermission.ADMINISTRATION), sids, false)) { return;
if (acl.isGranted(requirePermission, sids, false)) { if (logger.isDebugEnabled()) { logger.debug("Voting to grant access");
@Test public void hasPermissionReturnsTrueIfAclGrantsPermission() throws Exception { AclService service = mock(AclService.class); AclPermissionEvaluator pe = new AclPermissionEvaluator(service); ObjectIdentity oid = mock(ObjectIdentity.class); ObjectIdentityRetrievalStrategy oidStrategy = mock(ObjectIdentityRetrievalStrategy.class); when(oidStrategy.getObjectIdentity(any(Object.class))).thenReturn(oid); pe.setObjectIdentityRetrievalStrategy(oidStrategy); pe.setSidRetrievalStrategy(mock(SidRetrievalStrategy.class)); Acl acl = mock(Acl.class); when(service.readAclById(any(ObjectIdentity.class), anyList())).thenReturn(acl); when(acl.isGranted(anyList(), anyList(), eq(false))).thenReturn(true); assertThat(pe.hasPermission(mock(Authentication.class), new Object(), "READ")).isTrue(); }
@Test public void resolvePermissionNonEnglishLocale() { Locale systemLocale = Locale.getDefault(); Locale.setDefault(new Locale("tr")); AclService service = mock(AclService.class); AclPermissionEvaluator pe = new AclPermissionEvaluator(service); ObjectIdentity oid = mock(ObjectIdentity.class); ObjectIdentityRetrievalStrategy oidStrategy = mock(ObjectIdentityRetrievalStrategy.class); when(oidStrategy.getObjectIdentity(any(Object.class))).thenReturn(oid); pe.setObjectIdentityRetrievalStrategy(oidStrategy); pe.setSidRetrievalStrategy(mock(SidRetrievalStrategy.class)); Acl acl = mock(Acl.class); when(service.readAclById(any(ObjectIdentity.class), anyList())).thenReturn(acl); when(acl.isGranted(anyList(), anyList(), eq(false))).thenReturn(true); assertThat(pe.hasPermission(mock(Authentication.class), new Object(), "write")).isTrue(); Locale.setDefault(systemLocale); } }
@Test public void objectsAreRemovedIfPermissionDenied() throws Exception { AclService service = mock(AclService.class); Acl acl = mock(Acl.class); when(acl.isGranted(any(), any(), anyBoolean())).thenReturn( false); when(service.readAclById(any(), any())).thenReturn( acl); AclEntryAfterInvocationCollectionFilteringProvider provider = new AclEntryAfterInvocationCollectionFilteringProvider( service, Arrays.asList(mock(Permission.class))); provider.setObjectIdentityRetrievalStrategy(mock(ObjectIdentityRetrievalStrategy.class)); provider.setProcessDomainObjectClass(Object.class); provider.setSidRetrievalStrategy(mock(SidRetrievalStrategy.class)); Object returned = provider.decide(mock(Authentication.class), new Object(), SecurityConfig.createList("AFTER_ACL_COLLECTION_READ"), new ArrayList( Arrays.asList(new Object(), new Object()))); assertThat(returned).isInstanceOf(List.class); assertThat(((List) returned)).isEmpty(); returned = provider.decide(mock(Authentication.class), new Object(), SecurityConfig.createList("UNSUPPORTED", "AFTER_ACL_COLLECTION_READ"), new Object[] { new Object(), new Object() }); assertThat(returned instanceof Object[]).isTrue(); assertThat(((Object[]) returned).length == 0).isTrue(); }
@Test public void accessIsAllowedIfPermissionIsGranted() { AclService service = mock(AclService.class); Acl acl = mock(Acl.class); when(acl.isGranted(any(List.class), any(List.class), anyBoolean())).thenReturn( true); when(service.readAclById(any(), any())).thenReturn( acl); AclEntryAfterInvocationProvider provider = new AclEntryAfterInvocationProvider( service, Arrays.asList(mock(Permission.class))); provider.setMessageSource(new SpringSecurityMessageSource()); provider.setObjectIdentityRetrievalStrategy(mock(ObjectIdentityRetrievalStrategy.class)); provider.setProcessDomainObjectClass(Object.class); provider.setSidRetrievalStrategy(mock(SidRetrievalStrategy.class)); Object returned = new Object(); assertThat( returned) .isSameAs( provider.decide(mock(Authentication.class), new Object(), SecurityConfig.createList("AFTER_ACL_READ"), returned)); }
@Test(expected = AccessDeniedException.class) public void accessIsDeniedIfPermissionIsNotGranted() { AclService service = mock(AclService.class); Acl acl = mock(Acl.class); when(acl.isGranted(any(List.class), any(List.class), anyBoolean())).thenReturn( false); // Try a second time with no permissions found when(acl.isGranted(any(), any(List.class), anyBoolean())).thenThrow( new NotFoundException("")); when(service.readAclById(any(), any())).thenReturn( acl); AclEntryAfterInvocationProvider provider = new AclEntryAfterInvocationProvider( service, Arrays.asList(mock(Permission.class))); provider.setProcessConfigAttribute("MY_ATTRIBUTE"); provider.setMessageSource(new SpringSecurityMessageSource()); provider.setObjectIdentityRetrievalStrategy(mock(ObjectIdentityRetrievalStrategy.class)); provider.setProcessDomainObjectClass(Object.class); provider.setSidRetrievalStrategy(mock(SidRetrievalStrategy.class)); try { provider.decide(mock(Authentication.class), new Object(), SecurityConfig.createList("UNSUPPORTED", "MY_ATTRIBUTE"), new Object()); fail("Expected Exception"); } catch (AccessDeniedException expected) { } // Second scenario with no acls found provider.decide(mock(Authentication.class), new Object(), SecurityConfig.createList("UNSUPPORTED", "MY_ATTRIBUTE"), new Object()); }
return acl.getParentAcl().isGranted(permission, sids, false);
/** * Check access for specified object * @param o * @param perms * @return */ public boolean isGranted(ObjectIdentity o, Permission ... perms) { Assert.notNull(o, "Secured object is null"); if (isAdminFor(o)) { return true; } try { Acl acl = aclService.readAclById(o); return acl.isGranted(Arrays.asList(perms), sids, false); } catch (NotFoundException e) { return false; } }
@Transactional(readOnly = true) @Override public boolean hasPermission( SecurityPrincipal principal, IdBasedEntity entity, AclPermission permission ) { List<Sid> sids = buildSids( principal ); List<Permission> aclPermissions = Collections.singletonList( permission ); try { // Lookup only ACLs for SIDs we're interested in Acl acl = aclService.readAclById( objectIdentity( entity ), sids ); if ( acl.isGranted( aclPermissions, sids, false ) ) { return true; } } catch ( NotFoundException nfe ) { return false; } return false; }
private boolean checkPermission(Authentication authentication, ObjectIdentity oid, Object permission) { // Obtain the SIDs applicable to the principal List<Sid> sids = sidRetrievalStrategy.getSids(authentication); List<Permission> requiredPermission = resolvePermission(permission); final boolean debug = logger.isDebugEnabled(); if (debug) { logger.debug("Checking permission '" + permission + "' for object '" + oid + "'"); } try { // Lookup only ACLs for SIDs we're interested in Acl acl = aclService.readAclById(oid, sids); if (acl.isGranted(requiredPermission, sids, false)) { if (debug) { logger.debug("Access is granted"); } return true; } if (debug) { logger.debug("Returning false - ACLs returned, but insufficient permissions for this principal"); } } catch (NotFoundException nfe) { if (debug) { logger.debug("Returning false - no ACLs apply for this principal"); } } return false; }
protected boolean hasPermission(Authentication authentication, Object domainObject) { // Obtain the OID applicable to the domain object ObjectIdentity objectIdentity = objectIdentityRetrievalStrategy .getObjectIdentity(domainObject); // Obtain the SIDs applicable to the principal List<Sid> sids = sidRetrievalStrategy.getSids(authentication); try { // Lookup only ACLs for SIDs we're interested in Acl acl = aclService.readAclById(objectIdentity, sids); return acl.isGranted(requirePermission, sids, false); } catch (NotFoundException ignore) { return false; } }
if (acl.isGranted(Arrays.asList(BasePermission.ADMINISTRATION), sids, false)) { return;
if (!acl.isGranted(requirePermission, sids, false)) { if (logger.isDebugEnabled()) { logger.debug(
if (acl.isGranted(permissions, sids, false)) {
if (acl.isGranted(permissions, sids, false)) {
return acl.getParentAcl().isGranted(permission, sids, false); } else {