private boolean checkPermission(Authentication authentication, ObjectIdentity oid, Object permission) { // Obtain the SIDs applicable to the principal List<Sid> sids = sidRetrievalStrategy.getSids(authentication); List<Permission> requiredPermission = resolvePermission(permission); final boolean debug = logger.isDebugEnabled(); if (debug) { logger.debug("Checking permission '" + permission + "' for object '" + oid + "'"); } try { // Lookup only ACLs for SIDs we're interested in Acl acl = aclService.readAclById(oid, sids); if (acl.isGranted(requiredPermission, sids, false)) { if (debug) { logger.debug("Access is granted"); } return true; } if (debug) { logger.debug("Returning false - ACLs returned, but insufficient permissions for this principal"); } } catch (NotFoundException nfe) { if (debug) { logger.debug("Returning false - no ACLs apply for this principal"); } } return false; }
protected boolean hasPermission(Authentication authentication, Object domainObject) { // Obtain the OID applicable to the domain object ObjectIdentity objectIdentity = objectIdentityRetrievalStrategy .getObjectIdentity(domainObject); // Obtain the SIDs applicable to the principal List<Sid> sids = sidRetrievalStrategy.getSids(authentication); try { // Lookup only ACLs for SIDs we're interested in Acl acl = aclService.readAclById(objectIdentity, sids); return acl.isGranted(requirePermission, sids, false); } catch (NotFoundException ignore) { return false; } }
@Test public void nullReturnObjectIsIgnored() throws Exception { AclService service = mock(AclService.class); AclEntryAfterInvocationProvider provider = new AclEntryAfterInvocationProvider( service, Arrays.asList(mock(Permission.class))); assertThat(provider.decide(mock(Authentication.class), new Object(), SecurityConfig.createList("AFTER_ACL_COLLECTION_READ"), null)) .isNull(); verify(service, never()).readAclById(any(ObjectIdentity.class), any(List.class)); } }
@Test public void nullReturnObjectIsIgnored() throws Exception { AclService service = mock(AclService.class); AclEntryAfterInvocationCollectionFilteringProvider provider = new AclEntryAfterInvocationCollectionFilteringProvider( service, Arrays.asList(mock(Permission.class))); assertThat(provider.decide(mock(Authentication.class), new Object(), SecurityConfig.createList("AFTER_ACL_COLLECTION_READ"), null)) .isNull(); verify(service, never()).readAclById(any(ObjectIdentity.class), any(List.class)); }
acl = aclService.readAclById(objectIdentity, sids);
@Test public void hasPermissionReturnsTrueIfAclGrantsPermission() throws Exception { AclService service = mock(AclService.class); AclPermissionEvaluator pe = new AclPermissionEvaluator(service); ObjectIdentity oid = mock(ObjectIdentity.class); ObjectIdentityRetrievalStrategy oidStrategy = mock(ObjectIdentityRetrievalStrategy.class); when(oidStrategy.getObjectIdentity(any(Object.class))).thenReturn(oid); pe.setObjectIdentityRetrievalStrategy(oidStrategy); pe.setSidRetrievalStrategy(mock(SidRetrievalStrategy.class)); Acl acl = mock(Acl.class); when(service.readAclById(any(ObjectIdentity.class), anyList())).thenReturn(acl); when(acl.isGranted(anyList(), anyList(), eq(false))).thenReturn(true); assertThat(pe.hasPermission(mock(Authentication.class), new Object(), "READ")).isTrue(); }
@Test public void resolvePermissionNonEnglishLocale() { Locale systemLocale = Locale.getDefault(); Locale.setDefault(new Locale("tr")); AclService service = mock(AclService.class); AclPermissionEvaluator pe = new AclPermissionEvaluator(service); ObjectIdentity oid = mock(ObjectIdentity.class); ObjectIdentityRetrievalStrategy oidStrategy = mock(ObjectIdentityRetrievalStrategy.class); when(oidStrategy.getObjectIdentity(any(Object.class))).thenReturn(oid); pe.setObjectIdentityRetrievalStrategy(oidStrategy); pe.setSidRetrievalStrategy(mock(SidRetrievalStrategy.class)); Acl acl = mock(Acl.class); when(service.readAclById(any(ObjectIdentity.class), anyList())).thenReturn(acl); when(acl.isGranted(anyList(), anyList(), eq(false))).thenReturn(true); assertThat(pe.hasPermission(mock(Authentication.class), new Object(), "write")).isTrue(); Locale.setDefault(systemLocale); } }
@Test public void objectsAreRemovedIfPermissionDenied() throws Exception { AclService service = mock(AclService.class); Acl acl = mock(Acl.class); when(acl.isGranted(any(), any(), anyBoolean())).thenReturn( false); when(service.readAclById(any(), any())).thenReturn( acl); AclEntryAfterInvocationCollectionFilteringProvider provider = new AclEntryAfterInvocationCollectionFilteringProvider( service, Arrays.asList(mock(Permission.class))); provider.setObjectIdentityRetrievalStrategy(mock(ObjectIdentityRetrievalStrategy.class)); provider.setProcessDomainObjectClass(Object.class); provider.setSidRetrievalStrategy(mock(SidRetrievalStrategy.class)); Object returned = provider.decide(mock(Authentication.class), new Object(), SecurityConfig.createList("AFTER_ACL_COLLECTION_READ"), new ArrayList( Arrays.asList(new Object(), new Object()))); assertThat(returned).isInstanceOf(List.class); assertThat(((List) returned)).isEmpty(); returned = provider.decide(mock(Authentication.class), new Object(), SecurityConfig.createList("UNSUPPORTED", "AFTER_ACL_COLLECTION_READ"), new Object[] { new Object(), new Object() }); assertThat(returned instanceof Object[]).isTrue(); assertThat(((Object[]) returned).length == 0).isTrue(); }
@Test public void accessIsAllowedIfPermissionIsGranted() { AclService service = mock(AclService.class); Acl acl = mock(Acl.class); when(acl.isGranted(any(List.class), any(List.class), anyBoolean())).thenReturn( true); when(service.readAclById(any(), any())).thenReturn( acl); AclEntryAfterInvocationProvider provider = new AclEntryAfterInvocationProvider( service, Arrays.asList(mock(Permission.class))); provider.setMessageSource(new SpringSecurityMessageSource()); provider.setObjectIdentityRetrievalStrategy(mock(ObjectIdentityRetrievalStrategy.class)); provider.setProcessDomainObjectClass(Object.class); provider.setSidRetrievalStrategy(mock(SidRetrievalStrategy.class)); Object returned = new Object(); assertThat( returned) .isSameAs( provider.decide(mock(Authentication.class), new Object(), SecurityConfig.createList("AFTER_ACL_READ"), returned)); }
@Test(expected = AccessDeniedException.class) public void accessIsDeniedIfPermissionIsNotGranted() { AclService service = mock(AclService.class); Acl acl = mock(Acl.class); when(acl.isGranted(any(List.class), any(List.class), anyBoolean())).thenReturn( false); // Try a second time with no permissions found when(acl.isGranted(any(), any(List.class), anyBoolean())).thenThrow( new NotFoundException("")); when(service.readAclById(any(), any())).thenReturn( acl); AclEntryAfterInvocationProvider provider = new AclEntryAfterInvocationProvider( service, Arrays.asList(mock(Permission.class))); provider.setProcessConfigAttribute("MY_ATTRIBUTE"); provider.setMessageSource(new SpringSecurityMessageSource()); provider.setObjectIdentityRetrievalStrategy(mock(ObjectIdentityRetrievalStrategy.class)); provider.setProcessDomainObjectClass(Object.class); provider.setSidRetrievalStrategy(mock(SidRetrievalStrategy.class)); try { provider.decide(mock(Authentication.class), new Object(), SecurityConfig.createList("UNSUPPORTED", "MY_ATTRIBUTE"), new Object()); fail("Expected Exception"); } catch (AccessDeniedException expected) { } // Second scenario with no acls found provider.decide(mock(Authentication.class), new Object(), SecurityConfig.createList("UNSUPPORTED", "MY_ATTRIBUTE"), new Object()); }
public PermissionData getPermission(ObjectIdentity oid) { Assert.notNull(oid, "Secured object is null"); if(isAdminFor(oid)) { return PermissionData.ALL; } try { Acl realAcl = aclService.readAclById(oid); return pgs.getPermission(realAcl, sids); } catch (NotFoundException e) { return PermissionData.NONE; } }
/** * Check access for specified object * @param o * @param perms * @return */ public boolean isGranted(ObjectIdentity o, Permission ... perms) { Assert.notNull(o, "Secured object is null"); if (isAdminFor(o)) { return true; } try { Acl acl = aclService.readAclById(o); return acl.isGranted(Arrays.asList(perms), sids, false); } catch (NotFoundException e) { return false; } }
private boolean checkPermission(Authentication authentication, ObjectIdentity oid, Object permission) { // Obtain the SIDs applicable to the principal List<Sid> sids = sidRetrievalStrategy.getSids(authentication); List<Permission> requiredPermission = resolvePermission(permission); final boolean debug = logger.isDebugEnabled(); if (debug) { logger.debug("Checking permission '" + permission + "' for object '" + oid + "'"); } try { // Lookup only ACLs for SIDs we're interested in Acl acl = aclService.readAclById(oid, sids); if (acl.isGranted(requiredPermission, sids, false)) { if (debug) { logger.debug("Access is granted"); } return true; } if (debug) { logger.debug("Returning false - ACLs returned, but insufficient permissions for this principal"); } } catch (NotFoundException nfe) { if (debug) { logger.debug("Returning false - no ACLs apply for this principal"); } } return false; }
protected boolean hasPermission(Authentication authentication, Object domainObject) { // Obtain the OID applicable to the domain object ObjectIdentity objectIdentity = objectIdentityRetrievalStrategy .getObjectIdentity(domainObject); // Obtain the SIDs applicable to the principal List<Sid> sids = sidRetrievalStrategy.getSids(authentication); try { // Lookup only ACLs for SIDs we're interested in Acl acl = aclService.readAclById(objectIdentity, sids); return acl.isGranted(requirePermission, sids, false); } catch (NotFoundException ignore) { return false; } }
acl = aclService.readAclById(objectIdentity, sids); } catch (NotFoundException nfe) { if (logger.isDebugEnabled()) {
final Acl acl = aclService.readAclById(oid, sids);
final Acl acl = aclService.readAclById(oid, sids);
final Acl acl = aclService.readAclById(oid, sids);
final Acl acl = aclService.readAclById(oid, sids);
final Acl acl = aclService.readAclById(oid, sids);