Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge Formatting Changes 

Issue gh-8945
This commit is contained in:
Rob Winch 2020-08-24 16:38:12 -05:00
parent cf48f986f6 36ae1fe3f9
commit 2abf59b695
2779 changed files with 82438 additions and 91751 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

151
acl/src/main/java/org/springframework/security/acls/AclEntryVoter.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls;
import java.lang.reflect.InvocationTargetException;
@ -24,6 +25,7 @@ import java.util.List;
import org.aopalliance.intercept.MethodInvocation;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.security.access.AuthorizationServiceException;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.vote.AbstractAclVoter;
@ -39,6 +41,7 @@ import org.springframework.security.acls.model.Sid;
import org.springframework.security.acls.model.SidRetrievalStrategy;
import org.springframework.security.core.Authentication;
import org.springframework.util.Assert;
import org.springframework.util.ObjectUtils;
import org.springframework.util.StringUtils;
/**
@ -92,59 +95,45 @@ import org.springframework.util.StringUtils;
* <p>
* All comparisons and prefixes are case sensitive.
*
*
* @author Ben Alex
*/
public class AclEntryVoter extends AbstractAclVoter {
// ~ Static fields/initializers
// =====================================================================================
private static final Log logger = LogFactory.getLog(AclEntryVoter.class);
// ~ Instance fields
// ================================================================================================
private final AclService aclService;
private final String processConfigAttribute;
private final List<Permission> requirePermission;
private AclService aclService;
private ObjectIdentityRetrievalStrategy objectIdentityRetrievalStrategy = new ObjectIdentityRetrievalStrategyImpl();
private SidRetrievalStrategy sidRetrievalStrategy = new SidRetrievalStrategyImpl();
private String internalMethod;
private String processConfigAttribute;
private List<Permission> requirePermission;
// ~ Constructors
// ===================================================================================================
public AclEntryVoter(AclService aclService, String processConfigAttribute,
Permission[] requirePermission) {
public AclEntryVoter(AclService aclService, String processConfigAttribute, Permission[] requirePermission) {
Assert.notNull(processConfigAttribute, "A processConfigAttribute is mandatory");
Assert.notNull(aclService, "An AclService is mandatory");
if ((requirePermission == null) || (requirePermission.length == 0)) {
throw new IllegalArgumentException(
"One or more requirePermission entries is mandatory");
}
Assert.isTrue(!ObjectUtils.isEmpty(requirePermission), "One or more requirePermission entries is mandatory");
this.aclService = aclService;
this.processConfigAttribute = processConfigAttribute;
this.requirePermission = Arrays.asList(requirePermission);
}
// ~ Methods
// ========================================================================================================
/**
* Optionally specifies a method of the domain object that will be used to obtain a
* contained domain object. That contained domain object will be used for the ACL
* evaluation. This is useful if a domain object contains a parent that an ACL
* evaluation should be targeted for, instead of the child domain object (which
* perhaps is being created and as such does not yet have any ACL permissions)
*
* @return <code>null</code> to use the domain object, or the name of a method (that
* requires no arguments) that should be invoked to obtain an <code>Object</code>
* which will be the domain object used for ACL evaluation
*/
protected String getInternalMethod() {
return internalMethod;
return this.internalMethod;
}
public void setInternalMethod(String internalMethod) {
@ -152,13 +141,11 @@ public class AclEntryVoter extends AbstractAclVoter {
}
protected String getProcessConfigAttribute() {
return processConfigAttribute;
return this.processConfigAttribute;
}
public void setObjectIdentityRetrievalStrategy(
ObjectIdentityRetrievalStrategy objectIdentityRetrievalStrategy) {
Assert.notNull(objectIdentityRetrievalStrategy,
"ObjectIdentityRetrievalStrategy required");
public void setObjectIdentityRetrievalStrategy(ObjectIdentityRetrievalStrategy objectIdentityRetrievalStrategy) {
Assert.notNull(objectIdentityRetrievalStrategy, "ObjectIdentityRetrievalStrategy required");
this.objectIdentityRetrievalStrategy = objectIdentityRetrievalStrategy;
}
@ -167,103 +154,60 @@ public class AclEntryVoter extends AbstractAclVoter {
this.sidRetrievalStrategy = sidRetrievalStrategy;
}
@Override
public boolean supports(ConfigAttribute attribute) {
return (attribute.getAttribute() != null)
&& attribute.getAttribute().equals(getProcessConfigAttribute());
return (attribute.getAttribute() != null) && attribute.getAttribute().equals(getProcessConfigAttribute());
}
public int vote(Authentication authentication, MethodInvocation object,
Collection<ConfigAttribute> attributes) {
@Override
public int vote(Authentication authentication, MethodInvocation object, Collection<ConfigAttribute> attributes) {
for (ConfigAttribute attr : attributes) {
if (!this.supports(attr)) {
if (!supports(attr)) {
continue;
}
// Need to make an access decision on this invocation
// Attempt to locate the domain object instance to process
Object domainObject = getDomainObjectInstance(object);
// If domain object is null, vote to abstain
if (domainObject == null) {
if (logger.isDebugEnabled()) {
logger.debug("Voting to abstain - domainObject is null");
}
logger.debug("Voting to abstain - domainObject is null");
return ACCESS_ABSTAIN;
}
// Evaluate if we are required to use an inner domain object
if (StringUtils.hasText(internalMethod)) {
try {
Class<?> clazz = domainObject.getClass();
Method method = clazz.getMethod(internalMethod, new Class[0]);
domainObject = method.invoke(domainObject);
}
catch (NoSuchMethodException nsme) {
throw new AuthorizationServiceException("Object of class '"
+ domainObject.getClass()
+ "' does not provide the requested internalMethod: "
+ internalMethod);
}
catch (IllegalAccessException iae) {
logger.debug("IllegalAccessException", iae);
throw new AuthorizationServiceException(
"Problem invoking internalMethod: " + internalMethod
+ " for object: " + domainObject);
}
catch (InvocationTargetException ite) {
logger.debug("InvocationTargetException", ite);
throw new AuthorizationServiceException(
"Problem invoking internalMethod: " + internalMethod
+ " for object: " + domainObject);
}
if (StringUtils.hasText(this.internalMethod)) {
domainObject = invokeInternalMethod(domainObject);
}
// Obtain the OID applicable to the domain object
ObjectIdentity objectIdentity = objectIdentityRetrievalStrategy
.getObjectIdentity(domainObject);
ObjectIdentity objectIdentity = this.objectIdentityRetrievalStrategy.getObjectIdentity(domainObject);
// Obtain the SIDs applicable to the principal
List<Sid> sids = sidRetrievalStrategy.getSids(authentication);
List<Sid> sids = this.sidRetrievalStrategy.getSids(authentication);
Acl acl;
try {
// Lookup only ACLs for SIDs we're interested in
acl = aclService.readAclById(objectIdentity, sids);
acl = this.aclService.readAclById(objectIdentity, sids);
}
catch (NotFoundException nfe) {
if (logger.isDebugEnabled()) {
logger.debug("Voting to deny access - no ACLs apply for this principal");
}
catch (NotFoundException ex) {
logger.debug("Voting to deny access - no ACLs apply for this principal");
return ACCESS_DENIED;
}
try {
if (acl.isGranted(requirePermission, sids, false)) {
if (logger.isDebugEnabled()) {
logger.debug("Voting to grant access");
}
if (acl.isGranted(this.requirePermission, sids, false)) {
logger.debug("Voting to grant access");
return ACCESS_GRANTED;
}
else {
if (logger.isDebugEnabled()) {
logger.debug("Voting to deny access - ACLs returned, but insufficient permissions for this principal");
}
return ACCESS_DENIED;
}
logger.debug("Voting to deny access - ACLs returned, but insufficient permissions for this principal");
return ACCESS_DENIED;
}
catch (NotFoundException nfe) {
if (logger.isDebugEnabled()) {
logger.debug("Voting to deny access - no ACLs apply for this principal");
}
catch (NotFoundException ex) {
logger.debug("Voting to deny access - no ACLs apply for this principal");
return ACCESS_DENIED;
}
}
@ -271,4 +215,27 @@ public class AclEntryVoter extends AbstractAclVoter {
// No configuration attribute matched, so abstain
return ACCESS_ABSTAIN;
}
private Object invokeInternalMethod(Object domainObject) {
try {
Class<?> domainObjectType = domainObject.getClass();
Method method = domainObjectType.getMethod(this.internalMethod, new Class[0]);
return method.invoke(domainObject);
}
catch (NoSuchMethodException ex) {
throw new AuthorizationServiceException("Object of class '" + domainObject.getClass()
+ "' does not provide the requested internalMethod: " + this.internalMethod);
}
catch (IllegalAccessException ex) {
logger.debug("IllegalAccessException", ex);
throw new AuthorizationServiceException(
"Problem invoking internalMethod: " + this.internalMethod + " for object: " + domainObject);
}
catch (InvocationTargetException ex) {
logger.debug("InvocationTargetException", ex);
throw new AuthorizationServiceException(
"Problem invoking internalMethod: " + this.internalMethod + " for object: " + domainObject);
}
}
}

32
acl/src/main/java/org/springframework/security/acls/AclPermissionCacheOptimizer.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls;
import java.util.ArrayList;
@ -21,6 +22,8 @@ import java.util.List;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.core.log.LogMessage;
import org.springframework.security.access.PermissionCacheOptimizer;
import org.springframework.security.acls.domain.ObjectIdentityRetrievalStrategyImpl;
import org.springframework.security.acls.domain.SidRetrievalStrategyImpl;
@ -38,45 +41,42 @@ import org.springframework.security.core.Authentication;
* @since 3.1
*/
public class AclPermissionCacheOptimizer implements PermissionCacheOptimizer {
private final Log logger = LogFactory.getLog(getClass());
private final AclService aclService;
private SidRetrievalStrategy sidRetrievalStrategy = new SidRetrievalStrategyImpl();
private ObjectIdentityRetrievalStrategy oidRetrievalStrategy = new ObjectIdentityRetrievalStrategyImpl();
public AclPermissionCacheOptimizer(AclService aclService) {
this.aclService = aclService;
}
@Override
public void cachePermissionsFor(Authentication authentication, Collection<?> objects) {
if (objects.isEmpty()) {
return;
}
List<ObjectIdentity> oidsToCache = new ArrayList<>(objects.size());
for (Object domainObject : objects) {
if (domainObject == null) {
continue;
if (domainObject != null) {
ObjectIdentity oid = this.oidRetrievalStrategy.getObjectIdentity(domainObject);
oidsToCache.add(oid);
}
ObjectIdentity oid = oidRetrievalStrategy.getObjectIdentity(domainObject);
oidsToCache.add(oid);
}
List<Sid> sids = sidRetrievalStrategy.getSids(authentication);
if (logger.isDebugEnabled()) {
logger.debug("Eagerly loading Acls for " + oidsToCache.size() + " objects");
}
aclService.readAclsById(oidsToCache, sids);
List<Sid> sids = this.sidRetrievalStrategy.getSids(authentication);
this.logger.debug(LogMessage.of(() -> "Eagerly loading Acls for " + oidsToCache.size() + " objects"));
this.aclService.readAclsById(oidsToCache, sids);
}
public void setObjectIdentityRetrievalStrategy(
ObjectIdentityRetrievalStrategy objectIdentityRetrievalStrategy) {
public void setObjectIdentityRetrievalStrategy(ObjectIdentityRetrievalStrategy objectIdentityRetrievalStrategy) {
this.oidRetrievalStrategy = objectIdentityRetrievalStrategy;
}
public void setSidRetrievalStrategy(SidRetrievalStrategy sidRetrievalStrategy) {
this.sidRetrievalStrategy = sidRetrievalStrategy;
}
}

92
acl/src/main/java/org/springframework/security/acls/AclPermissionEvaluator.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls;
import java.io.Serializable;
@ -22,6 +23,8 @@ import java.util.Locale;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.core.log.LogMessage;
import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.acls.domain.DefaultPermissionFactory;
import org.springframework.security.acls.domain.ObjectIdentityRetrievalStrategyImpl;
@ -51,9 +54,13 @@ public class AclPermissionEvaluator implements PermissionEvaluator {
private final Log logger = LogFactory.getLog(getClass());
private final AclService aclService;
private ObjectIdentityRetrievalStrategy objectIdentityRetrievalStrategy = new ObjectIdentityRetrievalStrategyImpl();
private ObjectIdentityGenerator objectIdentityGenerator = new ObjectIdentityRetrievalStrategyImpl();
private SidRetrievalStrategy sidRetrievalStrategy = new SidRetrievalStrategyImpl();
private PermissionFactory permissionFactory = new DefaultPermissionFactory();
public AclPermissionEvaluator(AclService aclService) {
@ -65,100 +72,72 @@ public class AclPermissionEvaluator implements PermissionEvaluator {
* the ACL configuration. If the domain object is null, returns false (this can always
* be overridden using a null check in the expression itself).
*/
public boolean hasPermission(Authentication authentication, Object domainObject,
Object permission) {
@Override
public boolean hasPermission(Authentication authentication, Object domainObject, Object permission) {
if (domainObject == null) {
return false;
}
ObjectIdentity objectIdentity = objectIdentityRetrievalStrategy
.getObjectIdentity(domainObject);
ObjectIdentity objectIdentity = this.objectIdentityRetrievalStrategy.getObjectIdentity(domainObject);
return checkPermission(authentication, objectIdentity, permission);
}
public boolean hasPermission(Authentication authentication, Serializable targetId,
String targetType, Object permission) {
ObjectIdentity objectIdentity = objectIdentityGenerator.createObjectIdentity(
targetId, targetType);
return checkPermission(authentication, objectIdentity, permission);
}
private boolean checkPermission(Authentication authentication, ObjectIdentity oid,
@Override
public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType,
Object permission) {
ObjectIdentity objectIdentity = this.objectIdentityGenerator.createObjectIdentity(targetId, targetType);
return checkPermission(authentication, objectIdentity, permission);
}
private boolean checkPermission(Authentication authentication, ObjectIdentity oid, Object permission) {
// Obtain the SIDs applicable to the principal
List<Sid> sids = sidRetrievalStrategy.getSids(authentication);
List<Sid> sids = this.sidRetrievalStrategy.getSids(authentication);
List<Permission> requiredPermission = resolvePermission(permission);
final boolean debug = logger.isDebugEnabled();
if (debug) {
logger.debug("Checking permission '" + permission + "' for object '" + oid
+ "'");
}
this.logger.debug(LogMessage.of(() -> "Checking permission '" + permission + "' for object '" + oid + "'"));
try {
// Lookup only ACLs for SIDs we're interested in
Acl acl = aclService.readAclById(oid, sids);
Acl acl = this.aclService.readAclById(oid, sids);
if (acl.isGranted(requiredPermission, sids, false)) {
if (debug) {
logger.debug("Access is granted");
}
this.logger.debug("Access is granted");
return true;
}
if (debug) {
logger.debug("Returning false - ACLs returned, but insufficient permissions for this principal");
}
this.logger.debug("Returning false - ACLs returned, but insufficient permissions for this principal");
}
catch (NotFoundException nfe) {
if (debug) {
logger.debug("Returning false - no ACLs apply for this principal");
}
this.logger.debug("Returning false - no ACLs apply for this principal");
}
return false;
}
List<Permission> resolvePermission(Object permission) {
if (permission instanceof Integer) {
return Arrays.asList(permissionFactory.buildFromMask((Integer) permission));
return Arrays.asList(this.permissionFactory.buildFromMask((Integer) permission));
}
if (permission instanceof Permission) {
return Arrays.asList((Permission) permission);
}
if (permission instanceof Permission[]) {
return Arrays.asList((Permission[]) permission);
}
if (permission instanceof String) {
String permString = (String) permission;
Permission p;
try {
p = permissionFactory.buildFromName(permString);
}
catch (IllegalArgumentException notfound) {
p = permissionFactory.buildFromName(permString.toUpperCase(Locale.ENGLISH));
}
Permission p = buildPermission(permString);
if (p != null) {
return Arrays.asList(p);
}
}
throw new IllegalArgumentException("Unsupported permission: " + permission);
}
public void setObjectIdentityRetrievalStrategy(
ObjectIdentityRetrievalStrategy objectIdentityRetrievalStrategy) {
private Permission buildPermission(String permString) {
try {
return this.permissionFactory.buildFromName(permString);
}
catch (IllegalArgumentException notfound) {
return this.permissionFactory.buildFromName(permString.toUpperCase(Locale.ENGLISH));
}
}
public void setObjectIdentityRetrievalStrategy(ObjectIdentityRetrievalStrategy objectIdentityRetrievalStrategy) {
this.objectIdentityRetrievalStrategy = objectIdentityRetrievalStrategy;
}
@ -173,4 +152,5 @@ public class AclPermissionEvaluator implements PermissionEvaluator {
public void setPermissionFactory(PermissionFactory permissionFactory) {
this.permissionFactory = permissionFactory;
}
}

59
acl/src/main/java/org/springframework/security/acls/afterinvocation/AbstractAclProvider.java
View File

@ -32,6 +32,7 @@ import org.springframework.security.acls.model.Sid;
import org.springframework.security.acls.model.SidRetrievalStrategy;
import org.springframework.security.core.Authentication;
import org.springframework.util.Assert;
import org.springframework.util.ObjectUtils;
/**
* Abstract {@link AfterInvocationProvider} which provides commonly-used ACL-related
@ -40,64 +41,52 @@ import org.springframework.util.Assert;
* @author Ben Alex
*/
public abstract class AbstractAclProvider implements AfterInvocationProvider {
// ~ Instance fields
// ================================================================================================
protected final AclService aclService;
protected Class<?> processDomainObjectClass = Object.class;
protected ObjectIdentityRetrievalStrategy objectIdentityRetrievalStrategy = new ObjectIdentityRetrievalStrategyImpl();
protected SidRetrievalStrategy sidRetrievalStrategy = new SidRetrievalStrategyImpl();
protected String processConfigAttribute;
protected final List<Permission> requirePermission;
// ~ Constructors
// ===================================================================================================
protected String processConfigAttribute;
protected Class<?> processDomainObjectClass = Object.class;
protected ObjectIdentityRetrievalStrategy objectIdentityRetrievalStrategy = new ObjectIdentityRetrievalStrategyImpl();
protected SidRetrievalStrategy sidRetrievalStrategy = new SidRetrievalStrategyImpl();
protected final List<Permission> requirePermission;
public AbstractAclProvider(AclService aclService, String processConfigAttribute,
List<Permission> requirePermission) {
Assert.hasText(processConfigAttribute, "A processConfigAttribute is mandatory");
Assert.notNull(aclService, "An AclService is mandatory");
if (requirePermission == null || requirePermission.isEmpty()) {
throw new IllegalArgumentException(
"One or more requirePermission entries is mandatory");
}
Assert.isTrue(!ObjectUtils.isEmpty(requirePermission), "One or more requirePermission entries is mandatory");
this.aclService = aclService;
this.processConfigAttribute = processConfigAttribute;
this.requirePermission = requirePermission;
}
// ~ Methods
// ========================================================================================================
protected Class<?> getProcessDomainObjectClass() {
return processDomainObjectClass;
return this.processDomainObjectClass;
}
protected boolean hasPermission(Authentication authentication, Object domainObject) {
// Obtain the OID applicable to the domain object
ObjectIdentity objectIdentity = objectIdentityRetrievalStrategy
.getObjectIdentity(domainObject);
ObjectIdentity objectIdentity = this.objectIdentityRetrievalStrategy.getObjectIdentity(domainObject);
// Obtain the SIDs applicable to the principal
List<Sid> sids = sidRetrievalStrategy.getSids(authentication);
List<Sid> sids = this.sidRetrievalStrategy.getSids(authentication);
try {
// Lookup only ACLs for SIDs we're interested in
Acl acl = aclService.readAclById(objectIdentity, sids);
return acl.isGranted(requirePermission, sids, false);
Acl acl = this.aclService.readAclById(objectIdentity, sids);
return acl.isGranted(this.requirePermission, sids, false);
}
catch (NotFoundException ignore) {
catch (NotFoundException ex) {
return false;
}
}
public void setObjectIdentityRetrievalStrategy(
ObjectIdentityRetrievalStrategy objectIdentityRetrievalStrategy) {
Assert.notNull(objectIdentityRetrievalStrategy,
"ObjectIdentityRetrievalStrategy required");
public void setObjectIdentityRetrievalStrategy(ObjectIdentityRetrievalStrategy objectIdentityRetrievalStrategy) {
Assert.notNull(objectIdentityRetrievalStrategy, "ObjectIdentityRetrievalStrategy required");
this.objectIdentityRetrievalStrategy = objectIdentityRetrievalStrategy;
}
@ -107,8 +96,7 @@ public abstract class AbstractAclProvider implements AfterInvocationProvider {
}
public void setProcessDomainObjectClass(Class<?> processDomainObjectClass) {
Assert.notNull(processDomainObjectClass,
"processDomainObjectClass cannot be set to null");
Assert.notNull(processDomainObjectClass, "processDomainObjectClass cannot be set to null");
this.processDomainObjectClass = processDomainObjectClass;
}
@ -117,19 +105,20 @@ public abstract class AbstractAclProvider implements AfterInvocationProvider {
this.sidRetrievalStrategy = sidRetrievalStrategy;
}
@Override
public boolean supports(ConfigAttribute attribute) {
return processConfigAttribute.equals(attribute.getAttribute());
return this.processConfigAttribute.equals(attribute.getAttribute());
}
/**
* This implementation supports any type of class, because it does not query the
* presented secure object.
*
* @param clazz the secure object
*
* @return always <code>true</code>
*/
@Override
public boolean supports(Class<?> clazz) {
return true;
}
}

65
acl/src/main/java/org/springframework/security/acls/afterinvocation/AclEntryAfterInvocationCollectionFilteringProvider.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.afterinvocation;
import java.util.Collection;
@ -20,6 +21,8 @@ import java.util.List;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.core.log.LogMessage;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.AuthorizationServiceException;
import org.springframework.security.access.ConfigAttribute;
@ -60,33 +63,21 @@ import org.springframework.security.core.Authentication;
* @author Ben Alex
* @author Paulo Neves
*/
public class AclEntryAfterInvocationCollectionFilteringProvider extends
AbstractAclProvider {
// ~ Static fields/initializers
// =====================================================================================
public class AclEntryAfterInvocationCollectionFilteringProvider extends AbstractAclProvider {
protected static final Log logger = LogFactory
.getLog(AclEntryAfterInvocationCollectionFilteringProvider.class);
// ~ Constructors
// ===================================================================================================
protected static final Log logger = LogFactory.getLog(AclEntryAfterInvocationCollectionFilteringProvider.class);
public AclEntryAfterInvocationCollectionFilteringProvider(AclService aclService,
List<Permission> requirePermission) {
super(aclService, "AFTER_ACL_COLLECTION_READ", requirePermission);
}
// ~ Methods
// ========================================================================================================
@Override
@SuppressWarnings("unchecked")
public Object decide(Authentication authentication, Object object,
Collection<ConfigAttribute> config, Object returnedObject)
throws AccessDeniedException {
public Object decide(Authentication authentication, Object object, Collection<ConfigAttribute> config,
Object returnedObject) throws AccessDeniedException {
if (returnedObject == null) {
logger.debug("Return object is null, skipping");
return null;
}
@ -96,44 +87,34 @@ public class AclEntryAfterInvocationCollectionFilteringProvider extends
}
// Need to process the Collection for this invocation
Filterer filterer;
if (returnedObject instanceof Collection) {
filterer = new CollectionFilterer((Collection) returnedObject);
}
else if (returnedObject.getClass().isArray()) {
filterer = new ArrayFilterer((Object[]) returnedObject);
}
else {
throw new AuthorizationServiceException(
"A Collection or an array (or null) was required as the "
+ "returnedObject, but the returnedObject was: "
+ returnedObject);
}
Filterer filterer = getFilterer(returnedObject);
// Locate unauthorised Collection elements
for (Object domainObject : filterer) {
// Ignore nulls or entries which aren't instances of the configured domain
// object class
if (domainObject == null
|| !getProcessDomainObjectClass().isAssignableFrom(
domainObject.getClass())) {
if (domainObject == null || !getProcessDomainObjectClass().isAssignableFrom(domainObject.getClass())) {
continue;
}
if (!hasPermission(authentication, domainObject)) {
filterer.remove(domainObject);
if (logger.isDebugEnabled()) {
logger.debug("Principal is NOT authorised for element: "
+ domainObject);
}
logger.debug(LogMessage.of(() -> "Principal is NOT authorised for element: " + domainObject));
}
}
return filterer.getFilteredObject();
}
return returnedObject;
}
private Filterer getFilterer(Object returnedObject) {
if (returnedObject instanceof Collection) {
return new CollectionFilterer((Collection) returnedObject);
}
if (returnedObject.getClass().isArray()) {
return new ArrayFilterer((Object[]) returnedObject);
}
throw new AuthorizationServiceException("A Collection or an array (or null) was required as the "
+ "returnedObject, but the returnedObject was: " + returnedObject);
}
}

44
acl/src/main/java/org/springframework/security/acls/afterinvocation/AclEntryAfterInvocationProvider.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.afterinvocation;
import java.util.Collection;
@ -20,6 +21,7 @@ import java.util.List;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.context.MessageSource;
import org.springframework.context.MessageSourceAware;
import org.springframework.context.support.MessageSourceAccessor;
@ -58,50 +60,34 @@ import org.springframework.security.core.SpringSecurityMessageSource;
* <p>
* All comparisons and prefixes are case sensitive.
*/
public class AclEntryAfterInvocationProvider extends AbstractAclProvider implements
MessageSourceAware {
// ~ Static fields/initializers
// =====================================================================================
public class AclEntryAfterInvocationProvider extends AbstractAclProvider implements MessageSourceAware {
protected static final Log logger = LogFactory
.getLog(AclEntryAfterInvocationProvider.class);
// ~ Instance fields
// ================================================================================================
protected static final Log logger = LogFactory.getLog(AclEntryAfterInvocationProvider.class);
protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();
// ~ Constructors
// ===================================================================================================
public AclEntryAfterInvocationProvider(AclService aclService,
List<Permission> requirePermission) {
public AclEntryAfterInvocationProvider(AclService aclService, List<Permission> requirePermission) {
this(aclService, "AFTER_ACL_READ", requirePermission);
}
public AclEntryAfterInvocationProvider(AclService aclService,
String processConfigAttribute, List<Permission> requirePermission) {
public AclEntryAfterInvocationProvider(AclService aclService, String processConfigAttribute,
List<Permission> requirePermission) {
super(aclService, processConfigAttribute, requirePermission);
}
// ~ Methods
// ========================================================================================================
public Object decide(Authentication authentication, Object object,
Collection<ConfigAttribute> config, Object returnedObject)
throws AccessDeniedException {
@Override
public Object decide(Authentication authentication, Object object, Collection<ConfigAttribute> config,
Object returnedObject) throws AccessDeniedException {
if (returnedObject == null) {
// AclManager interface contract prohibits nulls
// As they have permission to null/nothing, grant access
logger.debug("Return object is null, skipping");
return null;
}
if (!getProcessDomainObjectClass().isAssignableFrom(returnedObject.getClass())) {
logger.debug("Return object is not applicable for this provider, skipping");
return returnedObject;
}
@ -109,24 +95,24 @@ public class AclEntryAfterInvocationProvider extends AbstractAclProvider impleme
if (!this.supports(attr)) {
continue;
}
// Need to make an access decision on this invocation
// Need to make an access decision on this invocation
if (hasPermission(authentication, returnedObject)) {
return returnedObject;
}
logger.debug("Denying access");
throw new AccessDeniedException(messages.getMessage(
"AclEntryAfterInvocationProvider.noPermission", new Object[] {
authentication.getName(), returnedObject },
throw new AccessDeniedException(this.messages.getMessage("AclEntryAfterInvocationProvider.noPermission",
new Object[] { authentication.getName(), returnedObject },
"Authentication {0} has NO permissions to the domain object {1}"));
}
return returnedObject;
}
@Override
public void setMessageSource(MessageSource messageSource) {
this.messages = new MessageSourceAccessor(messageSource);
}
}

95
acl/src/main/java/org/springframework/security/acls/afterinvocation/ArrayFilterer.java
View File

@ -25,6 +25,8 @@ import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.core.log.LogMessage;
/**
* A filter used to filter arrays.
*
@ -32,91 +34,70 @@ import org.apache.commons.logging.LogFactory;
* @author Paulo Neves
*/
class ArrayFilterer<T> implements Filterer<T> {
// ~ Static fields/initializers
// =====================================================================================
protected static final Log logger = LogFactory.getLog(ArrayFilterer.class);
// ~ Instance fields
// ================================================================================================
private final Set<T> removeList;
private final T[] list;
// ~ Constructors
// ===================================================================================================
private final T[] list;
ArrayFilterer(T[] list) {
this.list = list;
// Collect the removed objects to a HashSet so that
// it is fast to lookup them when a filtered array
// is constructed.
removeList = new HashSet<>();
this.removeList = new HashSet<>();
}
// ~ Methods
// ========================================================================================================
/**
*
* @see org.springframework.security.acls.afterinvocation.Filterer#getFilteredObject()
*/
@Override
@SuppressWarnings("unchecked")
public T[] getFilteredObject() {
// Recreate an array of same type and filter the removed objects.
int originalSize = list.length;
int sizeOfResultingList = originalSize - removeList.size();
T[] filtered = (T[]) Array.newInstance(list.getClass().getComponentType(),
sizeOfResultingList);
for (int i = 0, j = 0; i < list.length; i++) {
T object = list[i];
if (!removeList.contains(object)) {
int originalSize = this.list.length;
int sizeOfResultingList = originalSize - this.removeList.size();
T[] filtered = (T[]) Array.newInstance(this.list.getClass().getComponentType(), sizeOfResultingList);
for (int i = 0, j = 0; i < this.list.length; i++) {
T object = this.list[i];
if (!this.removeList.contains(object)) {
filtered[j] = object;
j++;
}
}
if (logger.isDebugEnabled()) {
logger.debug("Original array contained " + originalSize
+ " elements; now contains " + sizeOfResultingList + " elements");
}
logger.debug(LogMessage.of(() -> "Original array contained " + originalSize + " elements; now contains "
+ sizeOfResultingList + " elements"));
return filtered;
}
/**
*
* @see org.springframework.security.acls.afterinvocation.Filterer#iterator()
*/
@Override
public Iterator<T> iterator() {
return new Iterator<T>() {
private int index = 0;
return new ArrayFiltererIterator();
}
public boolean hasNext() {
return index < list.length;
}
public T next() {
if (!hasNext()) {
throw new NoSuchElementException();
}
return list[index++];
}
public void remove() {
throw new UnsupportedOperationException();
}
};
@Override
public void remove(T object) {
this.removeList.add(object);
}
/**
*
* @see org.springframework.security.acls.afterinvocation.Filterer#remove(java.lang.Object)
* Iterator for {@link ArrayFilterer} elements.
*/
public void remove(T object) {
removeList.add(object);
private class ArrayFiltererIterator implements Iterator<T> {
private int index = 0;
@Override
public boolean hasNext() {
return this.index < ArrayFilterer.this.list.length;
}
@Override
public T next() {
if (hasNext()) {
return ArrayFilterer.this.list[this.index++];
}
throw new NoSuchElementException();
}
}
}

60
acl/src/main/java/org/springframework/security/acls/afterinvocation/CollectionFilterer.java
View File

@ -16,14 +16,16 @@
package org.springframework.security.acls.afterinvocation;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.core.log.LogMessage;
/**
* A filter used to filter Collections.
*
@ -31,24 +33,15 @@ import java.util.Set;
* @author Paulo Neves
*/
class CollectionFilterer<T> implements Filterer<T> {
// ~ Static fields/initializers
// =====================================================================================
protected static final Log logger = LogFactory.getLog(CollectionFilterer.class);
// ~ Instance fields
// ================================================================================================
private final Collection<T> collection;
private final Set<T> removeList;
// ~ Constructors
// ===================================================================================================
CollectionFilterer(Collection<T> collection) {
this.collection = collection;
// We create a Set of objects to be removed from the Collection,
// as ConcurrentModificationException prevents removal during
// iteration, and making a new Collection to be returned is
@ -56,47 +49,30 @@ class CollectionFilterer<T> implements Filterer<T> {
// to the method may not necessarily be re-constructable (as
// the Collection(collection) constructor is not guaranteed and
// manually adding may lose sort order or other capabilities)
removeList = new HashSet<>();
this.removeList = new HashSet<>();
}
// ~ Methods
// ========================================================================================================
/**
*
* @see org.springframework.security.acls.afterinvocation.Filterer#getFilteredObject()
*/
@Override
public Object getFilteredObject() {
// Now the Iterator has ended, remove Objects from Collection
Iterator<T> removeIter = removeList.iterator();
int originalSize = collection.size();
Iterator<T> removeIter = this.removeList.iterator();
int originalSize = this.collection.size();
while (removeIter.hasNext()) {
collection.remove(removeIter.next());
this.collection.remove(removeIter.next());
}
if (logger.isDebugEnabled()) {
logger.debug("Original collection contained " + originalSize
+ " elements; now contains " + collection.size() + " elements");
}
return collection;
logger.debug(LogMessage.of(() -> "Original collection contained " + originalSize + " elements; now contains "
+ this.collection.size() + " elements"));
return this.collection;
}
/**
*
* @see org.springframework.security.acls.afterinvocation.Filterer#iterator()
*/
@Override
public Iterator<T> iterator() {
return collection.iterator();
return this.collection.iterator();
}
/**
*
* @see org.springframework.security.acls.afterinvocation.Filterer#remove(java.lang.Object)
*/
@Override
public void remove(T object) {
removeList.add(object);
this.removeList.add(object);
}
}

7
acl/src/main/java/org/springframework/security/acls/afterinvocation/Filterer.java
View File

@ -25,27 +25,24 @@ import java.util.Iterator;
* @author Paulo Neves
*/
interface Filterer<T> extends Iterable<T> {
// ~ Methods
// ========================================================================================================
/**
* Gets the filtered collection or array.
*
* @return the filtered collection or array
*/
Object getFilteredObject();
/**
* Returns an iterator over the filtered collection or array.
*
* @return an Iterator
*/
@Override
Iterator<T> iterator();
/**
* Removes the given object from the resulting list.
*
* @param object the object to be removed
*/
void remove(T object);
}

6
acl/src/main/java/org/springframework/security/acls/afterinvocation/package-info.java
View File

@ -13,9 +13,9 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/**
* After-invocation providers for collection and array filtering. Consider using a {@code PostFilter} annotation in
* preference.
* After-invocation providers for collection and array filtering. Consider using a
* {@code PostFilter} annotation in preference.
*/
package org.springframework.security.acls.afterinvocation;

55
acl/src/main/java/org/springframework/security/acls/domain/AbstractPermission.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.domain;
import org.springframework.security.acls.model.Permission;
@ -25,18 +26,13 @@ import org.springframework.security.acls.model.Permission;
*/
public abstract class AbstractPermission implements Permission {
// ~ Instance fields
// ================================================================================================
protected final char code;
protected int mask;
// ~ Constructors
// ===================================================================================================
/**
* Sets the permission mask and uses the '*' character to represent active bits when
* represented as a bit pattern string.
*
* @param mask the integer bit mask for the permission
*/
protected AbstractPermission(int mask) {
@ -46,7 +42,6 @@ public abstract class AbstractPermission implements Permission {
/**
* Sets the permission mask and uses the specified character for active bits.
*
* @param mask the integer bit mask for the permission
* @param code the character to print for each active bit in the mask (see
* {@link Permission#getPattern()})
@ -56,36 +51,36 @@ public abstract class AbstractPermission implements Permission {
this.code = code;
}
// ~ Methods
// ========================================================================================================
public final boolean equals(Object arg0) {
if (arg0 == null) {
@Override
public final boolean equals(Object obj) {
if (obj == null) {
return false;
}
if (!(arg0 instanceof Permission)) {
if (!(obj instanceof Permission)) {
return false;
}
Permission rhs = (Permission) arg0;
return (this.mask == rhs.getMask());
}
public final int getMask() {
return mask;
}
public String getPattern() {
return AclFormattingUtils.printBinary(mask, code);
}
public final String toString() {
return this.getClass().getSimpleName() + "[" + getPattern() + "=" + mask + "]";
Permission other = (Permission) obj;
return (this.mask == other.getMask());
}
@Override
public final int hashCode() {
return this.mask;
}
@Override
public final String toString() {
return this.getClass().getSimpleName() + "[" + getPattern() + "=" + this.mask + "]";
}
@Override
public final int getMask() {
return this.mask;
}
@Override
public String getPattern() {
return AclFormattingUtils.printBinary(this.mask, this.code);
}
}

77
acl/src/main/java/org/springframework/security/acls/domain/AccessControlEntryImpl.java
View File

@ -13,42 +13,41 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.domain;
import java.io.Serializable;
import org.springframework.security.acls.model.AccessControlEntry;
import org.springframework.security.acls.model.Acl;
import org.springframework.security.acls.model.AuditableAccessControlEntry;
import org.springframework.security.acls.model.Permission;
import org.springframework.security.acls.model.Sid;
import org.springframework.util.Assert;
import java.io.Serializable;
/**
* An immutable default implementation of <code>AccessControlEntry</code>.
*
* @author Ben Alex
*/
public class AccessControlEntryImpl implements AccessControlEntry,
AuditableAccessControlEntry {
// ~ Instance fields
// ================================================================================================
public class AccessControlEntryImpl implements AccessControlEntry, AuditableAccessControlEntry {
private final Acl acl;
private Permission permission;
private final Serializable id;
private final Sid sid;
private boolean auditFailure = false;
private boolean auditSuccess = false;
private final boolean granting;
// ~ Constructors
// ===================================================================================================
public AccessControlEntryImpl(Serializable id, Acl acl, Sid sid,
Permission permission, boolean granting, boolean auditSuccess,
boolean auditFailure) {
public AccessControlEntryImpl(Serializable id, Acl acl, Sid sid, Permission permission, boolean granting,
boolean auditSuccess, boolean auditFailure) {
Assert.notNull(acl, "Acl required");
Assert.notNull(sid, "Sid required");
Assert.notNull(permission, "Permission required");
@ -61,78 +60,66 @@ public class AccessControlEntryImpl implements AccessControlEntry,
this.auditFailure = auditFailure;
}
// ~ Methods
// ========================================================================================================
@Override
public boolean equals(Object arg0) {
if (!(arg0 instanceof AccessControlEntryImpl)) {
return false;
}
AccessControlEntryImpl rhs = (AccessControlEntryImpl) arg0;
AccessControlEntryImpl other = (AccessControlEntryImpl) arg0;
if (this.acl == null) {
if (rhs.getAcl() != null) {
if (other.getAcl() != null) {
return false;
}
// Both this.acl and rhs.acl are null and thus equal
}
else {
// this.acl is non-null
if (rhs.getAcl() == null) {
if (other.getAcl() == null) {
return false;
}
// Both this.acl and rhs.acl are non-null, so do a comparison
if (this.acl.getObjectIdentity() == null) {
if (rhs.acl.getObjectIdentity() != null) {
if (other.acl.getObjectIdentity() != null) {
return false;
}
// Both this.acl and rhs.acl are null and thus equal
}
else {
// Both this.acl.objectIdentity and rhs.acl.objectIdentity are non-null
if (!this.acl.getObjectIdentity()
.equals(rhs.getAcl().getObjectIdentity())) {
if (!this.acl.getObjectIdentity().equals(other.getAcl().getObjectIdentity())) {
return false;
}
}
}
if (this.id == null) {
if (rhs.id != null) {
if (other.id != null) {
return false;
}
// Both this.id and rhs.id are null and thus equal
}
else {
// this.id is non-null
if (rhs.id == null) {
if (other.id == null) {
return false;
}
// Both this.id and rhs.id are non-null
if (!this.id.equals(rhs.id)) {
if (!this.id.equals(other.id)) {
return false;
}
}
if ((this.auditFailure != rhs.isAuditFailure())
|| (this.auditSuccess != rhs.isAuditSuccess())
|| (this.granting != rhs.isGranting())
|| !this.permission.equals(rhs.getPermission())
|| !this.sid.equals(rhs.getSid())) {
if ((this.auditFailure != other.isAuditFailure()) || (this.auditSuccess != other.isAuditSuccess())
|| (this.granting != other.isGranting()) || !this.permission.equals(other.getPermission())
|| !this.sid.equals(other.getSid())) {
return false;
}
return true;
}
@Override
public int hashCode() {
int result = this.permission.hashCode();
result = 31 * result + (this.id != null ? this.id.hashCode() : 0);
result = 31 * result + ((this.id != null) ? this.id.hashCode() : 0);
result = 31 * result + (this.sid.hashCode());
result = 31 * result + (this.auditFailure ? 1 : 0);
result = 31 * result + (this.auditSuccess ? 1 : 0);
@ -142,37 +129,37 @@ public class AccessControlEntryImpl implements AccessControlEntry,
@Override
public Acl getAcl() {
return acl;
return this.acl;
}
@Override
public Serializable getId() {
return id;
return this.id;
}
@Override
public Permission getPermission() {
return permission;
return this.permission;
}
@Override
public Sid getSid() {
return sid;
return this.sid;
}
@Override
public boolean isAuditFailure() {
return auditFailure;
return this.auditFailure;
}
@Override
public boolean isAuditSuccess() {
return auditSuccess;
return this.auditSuccess;
}
@Override
public boolean isGranting() {
return granting;
return this.granting;
}
void setAuditFailure(boolean auditFailure) {
@ -199,7 +186,7 @@ public class AccessControlEntryImpl implements AccessControlEntry,
sb.append("auditSuccess: ").append(this.auditSuccess).append("; ");
sb.append("auditFailure: ").append(this.auditFailure);
sb.append("]");
return sb.toString();
}
}

8
acl/src/main/java/org/springframework/security/acls/domain/AclAuthorizationStrategy.java
View File

@ -25,15 +25,13 @@ import org.springframework.security.acls.model.Acl;
* @author Ben Alex
*/
public interface AclAuthorizationStrategy {
// ~ Static fields/initializers
// =====================================================================================
int CHANGE_OWNERSHIP = 0;
int CHANGE_AUDITING = 1;
int CHANGE_GENERAL = 2;
// ~ Methods
// ========================================================================================================
void securityCheck(Acl acl, int changeType);
}

81
acl/src/main/java/org/springframework/security/acls/domain/AclAuthorizationStrategyImpl.java
View File

@ -16,6 +16,10 @@
package org.springframework.security.acls.domain;
import java.util.Arrays;
import java.util.List;
import java.util.Set;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.acls.model.Acl;
import org.springframework.security.acls.model.Sid;
@ -26,10 +30,6 @@ import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.util.Assert;
import java.util.Arrays;
import java.util.List;
import java.util.Set;
/**
* Default implementation of {@link AclAuthorizationStrategy}.
* <p>
@ -45,21 +45,18 @@ import java.util.Set;
* @author Ben Alex
*/
public class AclAuthorizationStrategyImpl implements AclAuthorizationStrategy {
// ~ Instance fields
// ================================================================================================
private final GrantedAuthority gaGeneralChanges;
private final GrantedAuthority gaModifyAuditing;
private final GrantedAuthority gaTakeOwnership;
private SidRetrievalStrategy sidRetrievalStrategy = new SidRetrievalStrategyImpl();
// ~ Constructors
// ===================================================================================================
private final GrantedAuthority gaModifyAuditing;
private final GrantedAuthority gaTakeOwnership;
private SidRetrievalStrategy sidRetrievalStrategy = new SidRetrievalStrategyImpl();
/**
* Constructor. The only mandatory parameter relates to the system-wide
* {@link GrantedAuthority} instances that can be held to always permit ACL changes.
*
* @param auths the <code>GrantedAuthority</code>s that have special permissions
* (index 0 is the authority needed to change ownership, index 1 is the authority
* needed to modify auditing details, index 2 is the authority needed to change other
@ -71,53 +68,33 @@ public class AclAuthorizationStrategyImpl implements AclAuthorizationStrategy {
Assert.isTrue(auths != null && (auths.length == 3 || auths.length == 1),
"One or three GrantedAuthority instances required");
if (auths.length == 3) {
gaTakeOwnership = auths[0];
gaModifyAuditing = auths[1];
gaGeneralChanges = auths[2];
this.gaTakeOwnership = auths[0];
this.gaModifyAuditing = auths[1];
this.gaGeneralChanges = auths[2];
}
else {
gaTakeOwnership = gaModifyAuditing = gaGeneralChanges = auths[0];
this.gaTakeOwnership = auths[0];
this.gaModifyAuditing = auths[0];
this.gaGeneralChanges = auths[0];
}
}
// ~ Methods
// ========================================================================================================
@Override
public void securityCheck(Acl acl, int changeType) {
if ((SecurityContextHolder.getContext() == null)
|| (SecurityContextHolder.getContext().getAuthentication() == null)
|| !SecurityContextHolder.getContext().getAuthentication()
.isAuthenticated()) {
throw new AccessDeniedException(
"Authenticated principal required to operate with ACLs");
|| !SecurityContextHolder.getContext().getAuthentication().isAuthenticated()) {
throw new AccessDeniedException("Authenticated principal required to operate with ACLs");
}
Authentication authentication = SecurityContextHolder.getContext()
.getAuthentication();
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
// Check if authorized by virtue of ACL ownership
Sid currentUser = createCurrentUser(authentication);
if (currentUser.equals(acl.getOwner())
&& ((changeType == CHANGE_GENERAL) || (changeType == CHANGE_OWNERSHIP))) {
return;
}
// Not authorized by ACL ownership; try via adminstrative permissions
GrantedAuthority requiredAuthority;
if (changeType == CHANGE_AUDITING) {
requiredAuthority = this.gaModifyAuditing;
}
else if (changeType == CHANGE_GENERAL) {
requiredAuthority = this.gaGeneralChanges;
}
else if (changeType == CHANGE_OWNERSHIP) {
requiredAuthority = this.gaTakeOwnership;
}
else {
throw new IllegalArgumentException("Unknown change type");
}
GrantedAuthority requiredAuthority = getRequiredAuthority(changeType);
// Iterate this principal's authorities to determine right
Set<String> authorities = AuthorityUtils.authorityListToSet(authentication.getAuthorities());
@ -126,8 +103,7 @@ public class AclAuthorizationStrategyImpl implements AclAuthorizationStrategy {
}
// Try to get permission via ACEs within the ACL
List<Sid> sids = sidRetrievalStrategy.getSids(authentication);
List<Sid> sids = this.sidRetrievalStrategy.getSids(authentication);
if (acl.isGranted(Arrays.asList(BasePermission.ADMINISTRATION), sids, false)) {
return;
}
@ -136,9 +112,21 @@ public class AclAuthorizationStrategyImpl implements AclAuthorizationStrategy {
"Principal does not have required ACL permissions to perform requested operation");
}
private GrantedAuthority getRequiredAuthority(int changeType) {
if (changeType == CHANGE_AUDITING) {
return this.gaModifyAuditing;
}
if (changeType == CHANGE_GENERAL) {
return this.gaGeneralChanges;
}
if (changeType == CHANGE_OWNERSHIP) {
return this.gaTakeOwnership;
}
throw new IllegalArgumentException("Unknown change type");
}
/**
* Creates a principal-like sid from the authentication information.
*
* @param authentication the authentication information that can provide principal and
* thus the sid's id will be dependant on the value inside
* @return a sid with the ID taken from the authentication information
@ -151,4 +139,5 @@ public class AclAuthorizationStrategyImpl implements AclAuthorizationStrategy {
Assert.notNull(sidRetrievalStrategy, "SidRetrievalStrategy required");
this.sidRetrievalStrategy = sidRetrievalStrategy;
}
}

23
acl/src/main/java/org/springframework/security/acls/domain/AclFormattingUtils.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.domain;
import org.springframework.security.acls.model.Permission;
@ -30,9 +31,7 @@ public abstract class AclFormattingUtils {
Assert.notNull(removeBits, "Bits To Remove string required");
Assert.isTrue(original.length() == removeBits.length(),
"Original and Bits To Remove strings must be identical length");
char[] replacement = new char[original.length()];
for (int i = 0; i < original.length(); i++) {
if (removeBits.charAt(i) == Permission.RESERVED_OFF) {
replacement[i] = original.charAt(i);
@ -41,7 +40,6 @@ public abstract class AclFormattingUtils {
replacement[i] = Permission.RESERVED_OFF;
}
}
return new String(replacement);
}
@ -50,9 +48,7 @@ public abstract class AclFormattingUtils {
Assert.notNull(extraBits, "Extra Bits string required");
Assert.isTrue(original.length() == extraBits.length(),
"Original and Extra Bits strings must be identical length");
char[] replacement = new char[extraBits.length()];
for (int i = 0; i < extraBits.length(); i++) {
if (extraBits.charAt(i) == Permission.RESERVED_OFF) {
replacement[i] = original.charAt(i);
@ -61,7 +57,6 @@ public abstract class AclFormattingUtils {
replacement[i] = extraBits.charAt(i);
}
}
return new String(replacement);
}
@ -70,9 +65,7 @@ public abstract class AclFormattingUtils {
* bit being denoted by character '*'.
* <p>
* Inactive bits will be denoted by character {@link Permission#RESERVED_OFF}.
*
* @param i the integer bit mask to print the active bits for
*
* @return a 32-character representation of the bit mask
*/
public static String printBinary(int i) {
@ -84,29 +77,23 @@ public abstract class AclFormattingUtils {
* bit being denoted by the passed character.
* <p>
* Inactive bits will be denoted by character {@link Permission#RESERVED_OFF}.
*
* @param mask the integer bit mask to print the active bits for
* @param code the character to print when an active bit is detected
*
* @return a 32-character representation of the bit mask
*/
public static String printBinary(int mask, char code) {
Assert.doesNotContain(Character.toString(code),
Character.toString(Permission.RESERVED_ON),
Assert.doesNotContain(Character.toString(code), Character.toString(Permission.RESERVED_ON),
() -> Permission.RESERVED_ON + " is a reserved character code");
Assert.doesNotContain(Character.toString(code),
Character.toString(Permission.RESERVED_OFF),
Assert.doesNotContain(Character.toString(code), Character.toString(Permission.RESERVED_OFF),
() -> Permission.RESERVED_OFF + " is a reserved character code");
return printBinary(mask, Permission.RESERVED_ON, Permission.RESERVED_OFF)
.replace(Permission.RESERVED_ON, code);
return printBinary(mask, Permission.RESERVED_ON, Permission.RESERVED_OFF).replace(Permission.RESERVED_ON, code);
}
private static String printBinary(int i, char on, char off) {
String s = Integer.toBinaryString(i);
String pattern = Permission.THIRTY_TWO_RESERVED_OFF;
String temp2 = pattern.substring(0, pattern.length() - s.length()) + s;
return temp2.replace('0', off).replace('1', on);
}
}

211
acl/src/main/java/org/springframework/security/acls/domain/AclImpl.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.domain;
import java.io.Serializable;
@ -31,6 +32,7 @@ import org.springframework.security.acls.model.PermissionGrantingStrategy;
import org.springframework.security.acls.model.Sid;
import org.springframework.security.acls.model.UnloadedSidException;
import org.springframework.util.Assert;
import org.springframework.util.ObjectUtils;
/**
* Base implementation of <code>Acl</code>.
@ -38,35 +40,38 @@ import org.springframework.util.Assert;
* @author Ben Alex
*/
public class AclImpl implements Acl, MutableAcl, AuditableAcl, OwnershipAcl {
// ~ Instance fields
// ================================================================================================
private Acl parentAcl;
private transient AclAuthorizationStrategy aclAuthorizationStrategy;
private transient PermissionGrantingStrategy permissionGrantingStrategy;
private final List<AccessControlEntry> aces = new ArrayList<>();
private ObjectIdentity objectIdentity;
private Serializable id;
private Sid owner; // OwnershipAcl
private List<Sid> loadedSids = null; // includes all SIDs the WHERE clause covered,
// even if there was no ACE for a SID
private boolean entriesInheriting = true;
// ~ Constructors
// ===================================================================================================
private transient AclAuthorizationStrategy aclAuthorizationStrategy;
private transient PermissionGrantingStrategy permissionGrantingStrategy;
private final List<AccessControlEntry> aces = new ArrayList<>();
private ObjectIdentity objectIdentity;
private Serializable id;
// OwnershipAcl
private Sid owner;
// includes all SIDs the WHERE clause covered, even if there was no ACE for a SID
private List<Sid> loadedSids = null;
private boolean entriesInheriting = true;
/**
* Minimal constructor, which should be used
* {@link org.springframework.security.acls.model.MutableAclService#createAcl(ObjectIdentity)}
* .
*
* @param objectIdentity the object identity this ACL relates to (required)
* @param id the primary key assigned to this ACL (required)
* @param aclAuthorizationStrategy authorization strategy (required)
* @param auditLogger audit logger (required)
*/
public AclImpl(ObjectIdentity objectIdentity, Serializable id,
AclAuthorizationStrategy aclAuthorizationStrategy, AuditLogger auditLogger) {
public AclImpl(ObjectIdentity objectIdentity, Serializable id, AclAuthorizationStrategy aclAuthorizationStrategy,
AuditLogger auditLogger) {
Assert.notNull(objectIdentity, "Object Identity required");
Assert.notNull(id, "Id required");
Assert.notNull(aclAuthorizationStrategy, "AclAuthorizationStrategy required");
@ -74,14 +79,12 @@ public class AclImpl implements Acl, MutableAcl, AuditableAcl, OwnershipAcl {
this.objectIdentity = objectIdentity;
this.id = id;
this.aclAuthorizationStrategy = aclAuthorizationStrategy;
this.permissionGrantingStrategy = new DefaultPermissionGrantingStrategy(
auditLogger);
this.permissionGrantingStrategy = new DefaultPermissionGrantingStrategy(auditLogger);
}
/**
* Full constructor, which should be used by persistence tools that do not provide
* field-level access features.
*
* @param objectIdentity the object identity this ACL relates to
* @param id the primary key assigned to this ACL
* @param aclAuthorizationStrategy authorization strategy
@ -93,15 +96,13 @@ public class AclImpl implements Acl, MutableAcl, AuditableAcl, OwnershipAcl {
* @param entriesInheriting if ACEs from the parent should inherit into this ACL
* @param owner the owner (required)
*/
public AclImpl(ObjectIdentity objectIdentity, Serializable id,
AclAuthorizationStrategy aclAuthorizationStrategy,
PermissionGrantingStrategy grantingStrategy, Acl parentAcl,
List<Sid> loadedSids, boolean entriesInheriting, Sid owner) {
public AclImpl(ObjectIdentity objectIdentity, Serializable id, AclAuthorizationStrategy aclAuthorizationStrategy,
PermissionGrantingStrategy grantingStrategy, Acl parentAcl, List<Sid> loadedSids, boolean entriesInheriting,
Sid owner) {
Assert.notNull(objectIdentity, "Object Identity required");
Assert.notNull(id, "Id required");
Assert.notNull(aclAuthorizationStrategy, "AclAuthorizationStrategy required");
Assert.notNull(owner, "Owner required");
this.objectIdentity = objectIdentity;
this.id = id;
this.aclAuthorizationStrategy = aclAuthorizationStrategy;
@ -120,16 +121,11 @@ public class AclImpl implements Acl, MutableAcl, AuditableAcl, OwnershipAcl {
private AclImpl() {
}
// ~ Methods
// ========================================================================================================
@Override
public void deleteAce(int aceIndex) throws NotFoundException {
aclAuthorizationStrategy.securityCheck(this,
AclAuthorizationStrategy.CHANGE_GENERAL);
this.aclAuthorizationStrategy.securityCheck(this, AclAuthorizationStrategy.CHANGE_GENERAL);
verifyAceIndexExists(aceIndex);
synchronized (aces) {
synchronized (this.aces) {
this.aces.remove(aceIndex);
}
}
@ -139,32 +135,26 @@ public class AclImpl implements Acl, MutableAcl, AuditableAcl, OwnershipAcl {
throw new NotFoundException("aceIndex must be greater than or equal to zero");
}
if (aceIndex >= this.aces.size()) {
throw new NotFoundException(
"aceIndex must refer to an index of the AccessControlEntry list. "
+ "List size is " + aces.size() + ", index was " + aceIndex);
throw new NotFoundException("aceIndex must refer to an index of the AccessControlEntry list. "
+ "List size is " + this.aces.size() + ", index was " + aceIndex);
}
}
@Override
public void insertAce(int atIndexLocation, Permission permission, Sid sid,
boolean granting) throws NotFoundException {
aclAuthorizationStrategy.securityCheck(this,
AclAuthorizationStrategy.CHANGE_GENERAL);
public void insertAce(int atIndexLocation, Permission permission, Sid sid, boolean granting)
throws NotFoundException {
this.aclAuthorizationStrategy.securityCheck(this, AclAuthorizationStrategy.CHANGE_GENERAL);
Assert.notNull(permission, "Permission required");
Assert.notNull(sid, "Sid required");
if (atIndexLocation < 0) {
throw new NotFoundException(
"atIndexLocation must be greater than or equal to zero");
throw new NotFoundException("atIndexLocation must be greater than or equal to zero");
}
if (atIndexLocation > this.aces.size()) {
throw new NotFoundException(
"atIndexLocation must be less than or equal to the size of the AccessControlEntry collection");
}
AccessControlEntryImpl ace = new AccessControlEntryImpl(null, this, sid,
permission, granting, false, false);
synchronized (aces) {
AccessControlEntryImpl ace = new AccessControlEntryImpl(null, this, sid, permission, granting, false, false);
synchronized (this.aces) {
this.aces.add(atIndexLocation, ace);
}
}
@ -173,7 +163,7 @@ public class AclImpl implements Acl, MutableAcl, AuditableAcl, OwnershipAcl {
public List<AccessControlEntry> getEntries() {
// Can safely return AccessControlEntry directly, as they're immutable outside the
// ACL package
return new ArrayList<>(aces);
return new ArrayList<>(this.aces);
}
@Override
@ -183,33 +173,29 @@ public class AclImpl implements Acl, MutableAcl, AuditableAcl, OwnershipAcl {
@Override
public ObjectIdentity getObjectIdentity() {
return objectIdentity;
return this.objectIdentity;
}
@Override
public boolean isEntriesInheriting() {
return entriesInheriting;
return this.entriesInheriting;
}
/**
* Delegates to the {@link PermissionGrantingStrategy}.
*
* @throws UnloadedSidException if the passed SIDs are unknown to this ACL because the
* ACL was only loaded for a subset of SIDs
* @see DefaultPermissionGrantingStrategy
*/
@Override
public boolean isGranted(List<Permission> permission, List<Sid> sids,
boolean administrativeMode) throws NotFoundException, UnloadedSidException {
public boolean isGranted(List<Permission> permission, List<Sid> sids, boolean administrativeMode)
throws NotFoundException, UnloadedSidException {
Assert.notEmpty(permission, "Permissions required");
Assert.notEmpty(sids, "SIDs required");
if (!this.isSidLoaded(sids)) {
throw new UnloadedSidException("ACL was not loaded for one or more SID");
}
return permissionGrantingStrategy.isGranted(this, permission, sids,
administrativeMode);
return this.permissionGrantingStrategy.isGranted(this, permission, sids, administrativeMode);
}
@Override
@ -223,16 +209,13 @@ public class AclImpl implements Acl, MutableAcl, AuditableAcl, OwnershipAcl {
// This ACL applies to a SID subset only. Iterate to check it applies.
for (Sid sid : sids) {
boolean found = false;
for (Sid loadedSid : loadedSids) {
for (Sid loadedSid : this.loadedSids) {
if (sid.equals(loadedSid)) {
// this SID is OK
found = true;
break; // out of loadedSids for loop
}
}
if (!found) {
return false;
}
@ -243,15 +226,13 @@ public class AclImpl implements Acl, MutableAcl, AuditableAcl, OwnershipAcl {
@Override
public void setEntriesInheriting(boolean entriesInheriting) {
aclAuthorizationStrategy.securityCheck(this,
AclAuthorizationStrategy.CHANGE_GENERAL);
this.aclAuthorizationStrategy.securityCheck(this, AclAuthorizationStrategy.CHANGE_GENERAL);
this.entriesInheriting = entriesInheriting;
}
@Override
public void setOwner(Sid newOwner) {
aclAuthorizationStrategy.securityCheck(this,
AclAuthorizationStrategy.CHANGE_OWNERSHIP);
this.aclAuthorizationStrategy.securityCheck(this, AclAuthorizationStrategy.CHANGE_OWNERSHIP);
Assert.notNull(newOwner, "Owner required");
this.owner = newOwner;
}
@ -263,38 +244,32 @@ public class AclImpl implements Acl, MutableAcl, AuditableAcl, OwnershipAcl {
@Override
public void setParent(Acl newParent) {
aclAuthorizationStrategy.securityCheck(this,
AclAuthorizationStrategy.CHANGE_GENERAL);
Assert.isTrue(newParent == null || !newParent.equals(this),
"Cannot be the parent of yourself");
this.aclAuthorizationStrategy.securityCheck(this, AclAuthorizationStrategy.CHANGE_GENERAL);
Assert.isTrue(newParent == null || !newParent.equals(this), "Cannot be the parent of yourself");
this.parentAcl = newParent;
}
@Override
public Acl getParentAcl() {
return parentAcl;
return this.parentAcl;
}
@Override
public void updateAce(int aceIndex, Permission permission) throws NotFoundException {
aclAuthorizationStrategy.securityCheck(this,
AclAuthorizationStrategy.CHANGE_GENERAL);
this.aclAuthorizationStrategy.securityCheck(this, AclAuthorizationStrategy.CHANGE_GENERAL);
verifyAceIndexExists(aceIndex);
synchronized (aces) {
AccessControlEntryImpl ace = (AccessControlEntryImpl) aces.get(aceIndex);
synchronized (this.aces) {
AccessControlEntryImpl ace = (AccessControlEntryImpl) this.aces.get(aceIndex);
ace.setPermission(permission);
}
}
@Override
public void updateAuditing(int aceIndex, boolean auditSuccess, boolean auditFailure) {
aclAuthorizationStrategy.securityCheck(this,
AclAuthorizationStrategy.CHANGE_AUDITING);
this.aclAuthorizationStrategy.securityCheck(this, AclAuthorizationStrategy.CHANGE_AUDITING);
verifyAceIndexExists(aceIndex);
synchronized (aces) {
AccessControlEntryImpl ace = (AccessControlEntryImpl) aces.get(aceIndex);
synchronized (this.aces) {
AccessControlEntryImpl ace = (AccessControlEntryImpl) this.aces.get(aceIndex);
ace.setAuditSuccess(auditSuccess);
ace.setAuditFailure(auditFailure);
}
@ -302,57 +277,35 @@ public class AclImpl implements Acl, MutableAcl, AuditableAcl, OwnershipAcl {
@Override
public boolean equals(Object obj) {
if (obj instanceof AclImpl) {
AclImpl rhs = (AclImpl) obj;
if (this.aces.equals(rhs.aces)) {
if ((this.parentAcl == null && rhs.parentAcl == null)
|| (this.parentAcl != null && this.parentAcl
.equals(rhs.parentAcl))) {
if ((this.objectIdentity == null && rhs.objectIdentity == null)
|| (this.objectIdentity != null && this.objectIdentity
.equals(rhs.objectIdentity))) {
if ((this.id == null && rhs.id == null)
|| (this.id != null && this.id.equals(rhs.id))) {
if ((this.owner == null && rhs.owner == null)
|| (this.owner != null && this.owner
.equals(rhs.owner))) {
if (this.entriesInheriting == rhs.entriesInheriting) {
if ((this.loadedSids == null && rhs.loadedSids == null)) {
return true;
}
if (this.loadedSids != null
&& (this.loadedSids.size() == rhs.loadedSids
.size())) {
for (int i = 0; i < this.loadedSids.size(); i++) {
if (!this.loadedSids.get(i).equals(
rhs.loadedSids.get(i))) {
return false;
}
}
return true;
}
}
}
}
}
}
}
if (obj == this) {
return true;
}
return false;
if (obj == null || !(obj instanceof AclImpl)) {
return false;
}
AclImpl other = (AclImpl) obj;
boolean result = true;
result = result && this.aces.equals(other.aces);
result = result && ObjectUtils.nullSafeEquals(this.parentAcl, other.parentAcl);
result = result && ObjectUtils.nullSafeEquals(this.objectIdentity, other.objectIdentity);
result = result && ObjectUtils.nullSafeEquals(this.id, other.id);
result = result && ObjectUtils.nullSafeEquals(this.owner, other.owner);
result = result && this.entriesInheriting == other.entriesInheriting;
result = result && ObjectUtils.nullSafeEquals(this.loadedSids, other.loadedSids);
return result;
}
@Override
public int hashCode() {
int result = this.parentAcl != null ? this.parentAcl.hashCode() : 0;
int result = (this.parentAcl != null) ? this.parentAcl.hashCode() : 0;
result = 31 * result + this.aclAuthorizationStrategy.hashCode();
result = 31 * result + (this.permissionGrantingStrategy != null ?
this.permissionGrantingStrategy.hashCode() :
0);
result = 31 * result + (this.aces != null ? this.aces.hashCode() : 0);
result = 31 * result
+ ((this.permissionGrantingStrategy != null) ? this.permissionGrantingStrategy.hashCode() : 0);
result = 31 * result + ((this.aces != null) ? this.aces.hashCode() : 0);
result = 31 * result + this.objectIdentity.hashCode();
result = 31 * result + this.id.hashCode();
result = 31 * result + (this.owner != null ? this.owner.hashCode() : 0);
result = 31 * result + (this.loadedSids != null ? this.loadedSids.hashCode() : 0);
result = 31 * result + ((this.owner != null) ? this.owner.hashCode() : 0);
result = 31 * result + ((this.loadedSids != null) ? this.loadedSids.hashCode() : 0);
result = 31 * result + (this.entriesInheriting ? 1 : 0);
return result;
}
@ -364,33 +317,23 @@ public class AclImpl implements Acl, MutableAcl, AuditableAcl, OwnershipAcl {
sb.append("id: ").append(this.id).append("; ");
sb.append("objectIdentity: ").append(this.objectIdentity).append("; ");
sb.append("owner: ").append(this.owner).append("; ");
int count = 0;
for (AccessControlEntry ace : aces) {
for (AccessControlEntry ace : this.aces) {
count++;
if (count == 1) {
sb.append("\n");
}
sb.append(ace).append("\n");
}
if (count == 0) {
sb.append("no ACEs; ");
}
sb.append("inheriting: ").append(this.entriesInheriting).append("; ");
sb.append("parent: ").append(
(this.parentAcl == null) ? "Null" : this.parentAcl.getObjectIdentity()
.toString());
sb.append("parent: ").append((this.parentAcl == null) ? "Null" : this.parentAcl.getObjectIdentity().toString());
sb.append("; ");
sb.append("aclAuthorizationStrategy: ").append(this.aclAuthorizationStrategy)
.append("; ");
sb.append("aclAuthorizationStrategy: ").append(this.aclAuthorizationStrategy).append("; ");
sb.append("permissionGrantingStrategy: ").append(this.permissionGrantingStrategy);
sb.append("]");
return sb.toString();
}

5
acl/src/main/java/org/springframework/security/acls/domain/AuditLogger.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.domain;
import org.springframework.security.acls.model.AccessControlEntry;
@ -21,11 +22,9 @@ import org.springframework.security.acls.model.AccessControlEntry;
* Used by <code>AclImpl</code> to log audit events.
*
* @author Ben Alex
*
*/
public interface AuditLogger {
// ~ Methods
// ========================================================================================================
void logIfNeeded(boolean granted, AccessControlEntry ace);
}

7
acl/src/main/java/org/springframework/security/acls/domain/BasePermission.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.domain;
import org.springframework.security.acls.model.Permission;
@ -28,10 +29,15 @@ import org.springframework.security.acls.model.Permission;
* @author Ben Alex
*/
public class BasePermission extends AbstractPermission {
public static final Permission READ = new BasePermission(1 << 0, 'R'); // 1
public static final Permission WRITE = new BasePermission(1 << 1, 'W'); // 2
public static final Permission CREATE = new BasePermission(1 << 2, 'C'); // 4
public static final Permission DELETE = new BasePermission(1 << 3, 'D'); // 8
public static final Permission ADMINISTRATION = new BasePermission(1 << 4, 'A'); // 16
protected BasePermission(int mask) {
@ -41,4 +47,5 @@ public class BasePermission extends AbstractPermission {
protected BasePermission(int mask, char code) {
super(mask, code);
}
}

8
acl/src/main/java/org/springframework/security/acls/domain/ConsoleAuditLogger.java
View File

@ -13,11 +13,11 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.domain;
import org.springframework.security.acls.model.AccessControlEntry;
import org.springframework.security.acls.model.AuditableAccessControlEntry;
import org.springframework.util.Assert;
/**
@ -26,15 +26,12 @@ import org.springframework.util.Assert;
* @author Ben Alex
*/
public class ConsoleAuditLogger implements AuditLogger {
// ~ Methods
// ========================================================================================================
@Override
public void logIfNeeded(boolean granted, AccessControlEntry ace) {
Assert.notNull(ace, "AccessControlEntry required");
if (ace instanceof AuditableAccessControlEntry) {
AuditableAccessControlEntry auditableAce = (AuditableAccessControlEntry) ace;
if (granted && auditableAce.isAuditSuccess()) {
System.out.println("GRANTED due to ACE: " + ace);
}
@ -43,4 +40,5 @@ public class ConsoleAuditLogger implements AuditLogger {
}
}
}
}

11
acl/src/main/java/org/springframework/security/acls/domain/CumulativePermission.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.domain;
import org.springframework.security.acls.model.Permission;
@ -37,27 +38,23 @@ public class CumulativePermission extends AbstractPermission {
public CumulativePermission clear(Permission permission) {
this.mask &= ~permission.getMask();
this.pattern = AclFormattingUtils.demergePatterns(this.pattern,
permission.getPattern());
this.pattern = AclFormattingUtils.demergePatterns(this.pattern, permission.getPattern());
return this;
}
public CumulativePermission clear() {
this.mask = 0;
this.pattern = THIRTY_TWO_RESERVED_OFF;
return this;
}
public CumulativePermission set(Permission permission) {
this.mask |= permission.getMask();
this.pattern = AclFormattingUtils.mergePatterns(this.pattern,
permission.getPattern());
this.pattern = AclFormattingUtils.mergePatterns(this.pattern, permission.getPattern());
return this;
}
@Override
public String getPattern() {
return this.pattern;
}

50
acl/src/main/java/org/springframework/security/acls/domain/DefaultPermissionFactory.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.domain;
import java.lang.reflect.Field;
@ -38,7 +39,9 @@ import org.springframework.util.Assert;
* @since 2.0.3
*/
public class DefaultPermissionFactory implements PermissionFactory {
private final Map<Integer, Permission> registeredPermissionsByInteger = new HashMap<>();
private final Map<String, Permission> registeredPermissionsByName = new HashMap<>();
/**
@ -57,7 +60,6 @@ public class DefaultPermissionFactory implements PermissionFactory {
/**
* Registers a map of named <tt>Permission</tt> instances.
*
* @param namedPermissions the map of <tt>Permission</tt>s, keyed by name.
*/
public DefaultPermissionFactory(Map<String, ? extends Permission> namedPermissions) {
@ -71,27 +73,22 @@ public class DefaultPermissionFactory implements PermissionFactory {
* <p>
* These permissions will be registered under the name of the field. See
* {@link BasePermission} for an example.
*
* @param clazz a {@link Permission} class with public static fields to register
*/
protected void registerPublicPermissions(Class<? extends Permission> clazz) {
Assert.notNull(clazz, "Class required");
Field[] fields = clazz.getFields();
for (Field field : fields) {
try {
Object fieldValue = field.get(null);
if (Permission.class.isAssignableFrom(fieldValue.getClass())) {
// Found a Permission static field
Permission perm = (Permission) fieldValue;
String permissionName = field.getName();
registerPermission(perm, permissionName);
}
}
catch (Exception ignore) {
catch (Exception ex) {
}
}
}
@ -99,68 +96,57 @@ public class DefaultPermissionFactory implements PermissionFactory {
protected void registerPermission(Permission perm, String permissionName) {
Assert.notNull(perm, "Permission required");
Assert.hasText(permissionName, "Permission name required");
Integer mask = perm.getMask();
// Ensure no existing Permission uses this integer or code
Assert.isTrue(!registeredPermissionsByInteger.containsKey(mask),
Assert.isTrue(!this.registeredPermissionsByInteger.containsKey(mask),
() -> "An existing Permission already provides mask " + mask);
Assert.isTrue(!registeredPermissionsByName.containsKey(permissionName),
Assert.isTrue(!this.registeredPermissionsByName.containsKey(permissionName),
() -> "An existing Permission already provides name '" + permissionName + "'");
// Register the new Permission
registeredPermissionsByInteger.put(mask, perm);
registeredPermissionsByName.put(permissionName, perm);
this.registeredPermissionsByInteger.put(mask, perm);
this.registeredPermissionsByName.put(permissionName, perm);
}
@Override
public Permission buildFromMask(int mask) {
if (registeredPermissionsByInteger.containsKey(mask)) {
if (this.registeredPermissionsByInteger.containsKey(mask)) {
// The requested mask has an exact match against a statically-defined
// Permission, so return it
return registeredPermissionsByInteger.get(mask);
return this.registeredPermissionsByInteger.get(mask);
}
// To get this far, we have to use a CumulativePermission
CumulativePermission permission = new CumulativePermission();
for (int i = 0; i < 32; i++) {
int permissionToCheck = 1 << i;
if ((mask & permissionToCheck) == permissionToCheck) {
Permission p = registeredPermissionsByInteger.get(permissionToCheck);
if (p == null) {
throw new IllegalStateException("Mask '" + permissionToCheck
+ "' does not have a corresponding static Permission");
}
Permission p = this.registeredPermissionsByInteger.get(permissionToCheck);
Assert.state(p != null,
() -> "Mask '" + permissionToCheck + "' does not have a corresponding static Permission");
permission.set(p);
}
}
return permission;
}
@Override
public Permission buildFromName(String name) {
Permission p = registeredPermissionsByName.get(name);
if (p == null) {
throw new IllegalArgumentException("Unknown permission '" + name + "'");
}
Permission p = this.registeredPermissionsByName.get(name);
Assert.notNull(p, "Unknown permission '" + name + "'");
return p;
}
@Override
public List<Permission> buildFromNames(List<String> names) {
if ((names == null) || (names.size() == 0)) {
return Collections.emptyList();
}
List<Permission> permissions = new ArrayList<>(names.size());
for (String name : names) {
permissions.add(buildFromName(name));
}
return permissions;
}

45
acl/src/main/java/org/springframework/security/acls/domain/DefaultPermissionGrantingStrategy.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.domain;
import java.util.List;
@ -61,42 +62,33 @@ public class DefaultPermissionGrantingStrategy implements PermissionGrantingStra
* decide how to handle the permission check. Similarly, if any of the SID arguments
* presented to the method were not loaded by the ACL,
* <code>UnloadedSidException</code> will be thrown.
*
* @param permission the exact permissions to scan for (order is important)
* @param sids the exact SIDs to scan for (order is important)
* @param administrativeMode if <code>true</code> denotes the query is for
* administrative purposes and no auditing will be undertaken
*
* @return <code>true</code> if one of the permissions has been granted,
* <code>false</code> if one of the permissions has been specifically revoked
*
* @throws NotFoundException if an exact ACE for one of the permission bit masks and
* SID combination could not be found
*/
public boolean isGranted(Acl acl, List<Permission> permission, List<Sid> sids,
boolean administrativeMode) throws NotFoundException {
final List<AccessControlEntry> aces = acl.getEntries();
@Override
public boolean isGranted(Acl acl, List<Permission> permission, List<Sid> sids, boolean administrativeMode)
throws NotFoundException {
List<AccessControlEntry> aces = acl.getEntries();
AccessControlEntry firstRejection = null;
for (Permission p : permission) {
for (Sid sid : sids) {
// Attempt to find exact match for this permission mask and SID
boolean scanNextSid = true;
for (AccessControlEntry ace : aces) {
if (isGranted(ace, p)
&& ace.getSid().equals(sid)) {
if (isGranted(ace, p) && ace.getSid().equals(sid)) {
// Found a matching ACE, so its authorization decision will
// prevail
if (ace.isGranting()) {
// Success
if (!administrativeMode) {
auditLogger.logIfNeeded(true, ace);
this.auditLogger.logIfNeeded(true, ace);
}
return true;
}
@ -107,13 +99,11 @@ public class DefaultPermissionGrantingStrategy implements PermissionGrantingStra
// Store first rejection for auditing reasons
firstRejection = ace;
}
scanNextSid = false; // helps break the loop
break; // exit aces loop
}
}
if (!scanNextSid) {
break; // exit SID for loop (now try next permission)
}
@ -124,9 +114,8 @@ public class DefaultPermissionGrantingStrategy implements PermissionGrantingStra
// We found an ACE to reject the request at this point, as no
// other ACEs were found that granted a different permission
if (!administrativeMode) {
auditLogger.logIfNeeded(false, firstRejection);
this.auditLogger.logIfNeeded(false, firstRejection);
}
return false;
}
@ -135,26 +124,22 @@ public class DefaultPermissionGrantingStrategy implements PermissionGrantingStra
// We have a parent, so let them try to find a matching ACE
return acl.getParentAcl().isGranted(permission, sids, false);
}
else {
// We either have no parent, or we're the uppermost parent
throw new NotFoundException(
"Unable to locate a matching ACE for passed permissions and SIDs");
}
// We either have no parent, or we're the uppermost parent
throw new NotFoundException("Unable to locate a matching ACE for passed permissions and SIDs");
}
/**
* Compares an ACE Permission to the given Permission.
* By default, we compare the Permission masks for exact match.
* Subclasses of this strategy can override this behavior and implement
* more sophisticated comparisons, e.g. a bitwise comparison for ACEs that grant access.
* <pre>{@code
* Compares an ACE Permission to the given Permission. By default, we compare the
* Permission masks for exact match. Subclasses of this strategy can override this
* behavior and implement more sophisticated comparisons, e.g. a bitwise comparison
* for ACEs that grant access. <pre>{@code
* if (ace.isGranting() && p.getMask() != 0) {
* return (ace.getPermission().getMask() & p.getMask()) != 0;
* } else {
* return ace.getPermission().getMask() == p.getMask();
* }
* }</pre>
*
* @param ace the ACE from the Acl holding the mask.
* @param p the Permission we are checking against.
* @return true, if the respective masks are considered to be equal.

75
acl/src/main/java/org/springframework/security/acls/domain/EhCacheBasedAclCache.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.domain;
import java.io.Serializable;
@ -38,18 +39,14 @@ import org.springframework.util.Assert;
* @author Ben Alex
*/
public class EhCacheBasedAclCache implements AclCache {
// ~ Instance fields
// ================================================================================================
private final Ehcache cache;
private PermissionGrantingStrategy permissionGrantingStrategy;
private AclAuthorizationStrategy aclAuthorizationStrategy;
// ~ Constructors
// ===================================================================================================
public EhCacheBasedAclCache(Ehcache cache,
PermissionGrantingStrategy permissionGrantingStrategy,
public EhCacheBasedAclCache(Ehcache cache, PermissionGrantingStrategy permissionGrantingStrategy,
AclAuthorizationStrategy aclAuthorizationStrategy) {
Assert.notNull(cache, "Cache required");
Assert.notNull(permissionGrantingStrategy, "PermissionGrantingStrategy required");
@ -59,72 +56,55 @@ public class EhCacheBasedAclCache implements AclCache {
this.aclAuthorizationStrategy = aclAuthorizationStrategy;
}
// ~ Methods
// ========================================================================================================
@Override
public void evictFromCache(Serializable pk) {
Assert.notNull(pk, "Primary key (identifier) required");
MutableAcl acl = getFromCache(pk);
if (acl != null) {
cache.remove(acl.getId());
cache.remove(acl.getObjectIdentity());
this.cache.remove(acl.getId());
this.cache.remove(acl.getObjectIdentity());
}
}
@Override
public void evictFromCache(ObjectIdentity objectIdentity) {
Assert.notNull(objectIdentity, "ObjectIdentity required");
MutableAcl acl = getFromCache(objectIdentity);
if (acl != null) {
cache.remove(acl.getId());
cache.remove(acl.getObjectIdentity());
this.cache.remove(acl.getId());
this.cache.remove(acl.getObjectIdentity());
}
}
@Override
public MutableAcl getFromCache(ObjectIdentity objectIdentity) {
Assert.notNull(objectIdentity, "ObjectIdentity required");
Element element = null;
try {
element = cache.get(objectIdentity);
Element element = this.cache.get(objectIdentity);
return (element != null) ? initializeTransientFields((MutableAcl) element.getValue()) : null;
}
catch (CacheException ignored) {
}
if (element == null) {
catch (CacheException ex) {
return null;
}
return initializeTransientFields((MutableAcl) element.getValue());
}
@Override
public MutableAcl getFromCache(Serializable pk) {
Assert.notNull(pk, "Primary key (identifier) required");
Element element = null;
try {
element = cache.get(pk);
Element element = this.cache.get(pk);
return (element != null) ? initializeTransientFields((MutableAcl) element.getValue()) : null;
}
catch (CacheException ignored) {
}
if (element == null) {
catch (CacheException ex) {
return null;
}
return initializeTransientFields((MutableAcl) element.getValue());
}
@Override
public void putInCache(MutableAcl acl) {
Assert.notNull(acl, "Acl required");
Assert.notNull(acl.getObjectIdentity(), "ObjectIdentity required");
Assert.notNull(acl.getId(), "ID required");
if (this.aclAuthorizationStrategy == null) {
if (acl instanceof AclImpl) {
this.aclAuthorizationStrategy = (AclAuthorizationStrategy) FieldUtils
@ -133,30 +113,27 @@ public class EhCacheBasedAclCache implements AclCache {
.getProtectedFieldValue("permissionGrantingStrategy", acl);
}
}
if ((acl.getParentAcl() != null) && (acl.getParentAcl() instanceof MutableAcl)) {
putInCache((MutableAcl) acl.getParentAcl());
}
cache.put(new Element(acl.getObjectIdentity(), acl));
cache.put(new Element(acl.getId(), acl));
this.cache.put(new Element(acl.getObjectIdentity(), acl));
this.cache.put(new Element(acl.getId(), acl));
}
private MutableAcl initializeTransientFields(MutableAcl value) {
if (value instanceof AclImpl) {
FieldUtils.setProtectedFieldValue("aclAuthorizationStrategy", value,
this.aclAuthorizationStrategy);
FieldUtils.setProtectedFieldValue("permissionGrantingStrategy", value,
this.permissionGrantingStrategy);
FieldUtils.setProtectedFieldValue("aclAuthorizationStrategy", value, this.aclAuthorizationStrategy);
FieldUtils.setProtectedFieldValue("permissionGrantingStrategy", value, this.permissionGrantingStrategy);
}
if (value.getParentAcl() != null) {
initializeTransientFields((MutableAcl) value.getParentAcl());
}
return value;
}
@Override
public void clearCache() {
cache.removeAll();
this.cache.removeAll();
}
}

20
acl/src/main/java/org/springframework/security/acls/domain/GrantedAuthoritySid.java
View File

@ -13,11 +13,11 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.domain;
import org.springframework.security.acls.model.Sid;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.util.Assert;
/**
@ -31,14 +31,9 @@ import org.springframework.util.Assert;
* @author Ben Alex
*/
public class GrantedAuthoritySid implements Sid {
// ~ Instance fields
// ================================================================================================
private final String grantedAuthority;
// ~ Constructors
// ===================================================================================================
public GrantedAuthoritySid(String grantedAuthority) {
Assert.hasText(grantedAuthority, "GrantedAuthority required");
this.grantedAuthority = grantedAuthority;
@ -46,25 +41,19 @@ public class GrantedAuthoritySid implements Sid {
public GrantedAuthoritySid(GrantedAuthority grantedAuthority) {
Assert.notNull(grantedAuthority, "GrantedAuthority required");
Assert.notNull(
grantedAuthority.getAuthority(),
Assert.notNull(grantedAuthority.getAuthority(),
"This Sid is only compatible with GrantedAuthoritys that provide a non-null getAuthority()");
this.grantedAuthority = grantedAuthority.getAuthority();
}
// ~ Methods
// ========================================================================================================
@Override
public boolean equals(Object object) {
if ((object == null) || !(object instanceof GrantedAuthoritySid)) {
return false;
}
// Delegate to getGrantedAuthority() to perform actual comparison (both should be
// identical)
return ((GrantedAuthoritySid) object).getGrantedAuthority().equals(
this.getGrantedAuthority());
return ((GrantedAuthoritySid) object).getGrantedAuthority().equals(this.getGrantedAuthority());
}
@Override
@ -73,11 +62,12 @@ public class GrantedAuthoritySid implements Sid {
}
public String getGrantedAuthority() {
return grantedAuthority;
return this.grantedAuthority;
}
@Override
public String toString() {
return "GrantedAuthoritySid[" + this.grantedAuthority + "]";
}
}

12
acl/src/main/java/org/springframework/security/acls/domain/IdentityUnavailableException.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.domain;
/**
@ -21,12 +22,9 @@ package org.springframework.security.acls.domain;
* @author Ben Alex
*/
public class IdentityUnavailableException extends RuntimeException {
// ~ Constructors
// ===================================================================================================
/**
* Constructs an <code>IdentityUnavailableException</code> with the specified message.
*
* @param msg the detail message
*/
public IdentityUnavailableException(String msg) {
@ -36,11 +34,11 @@ public class IdentityUnavailableException extends RuntimeException {
/**
* Constructs an <code>IdentityUnavailableException</code> with the specified message
* and root cause.
*
* @param msg the detail message
* @param t root cause
* @param cause root cause
*/
public IdentityUnavailableException(String msg, Throwable t) {
super(msg, t);
public IdentityUnavailableException(String msg, Throwable cause) {
super(msg, cause);
}
}

69
acl/src/main/java/org/springframework/security/acls/domain/ObjectIdentityImpl.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.domain;
import java.io.Serializable;
@ -31,19 +32,14 @@ import org.springframework.util.ClassUtils;
* @author Ben Alex
*/
public class ObjectIdentityImpl implements ObjectIdentity {
// ~ Instance fields
// ================================================================================================
private final String type;
private Serializable identifier;
// ~ Constructors
// ===================================================================================================
private Serializable identifier;
public ObjectIdentityImpl(String type, Serializable identifier) {
Assert.hasText(type, "Type required");
Assert.notNull(identifier, "identifier required");
this.identifier = identifier;
this.type = type;
}
@ -66,36 +62,28 @@ public class ObjectIdentityImpl implements ObjectIdentity {
* <p>
* The class name of the object passed will be considered the {@link #type}, so if
* more control is required, a different constructor should be used.
*
* @param object the domain object instance to create an identity for.
*
* @throws IdentityUnavailableException if identity could not be extracted
*/
public ObjectIdentityImpl(Object object) throws IdentityUnavailableException {
Assert.notNull(object, "object cannot be null");
Class<?> typeClass = ClassUtils.getUserClass(object.getClass());
type = typeClass.getName();
Object result;
try {
Method method = typeClass.getMethod("getId", new Class[] {});
result = method.invoke(object);
}
catch (Exception e) {
throw new IdentityUnavailableException(
"Could not extract identity from object " + object, e);
}
this.type = typeClass.getName();
Object result = invokeGetIdMethod(object, typeClass);
Assert.notNull(result, "getId() is required to return a non-null value");
Assert.isInstanceOf(Serializable.class, result,
"Getter must provide a return value of type Serializable");
Assert.isInstanceOf(Serializable.class, result, "Getter must provide a return value of type Serializable");
this.identifier = (Serializable) result;
}
// ~ Methods
// ========================================================================================================
private Object invokeGetIdMethod(Object object, Class<?> typeClass) {
try {
Method method = typeClass.getMethod("getId", new Class[] {});
return method.invoke(object);
}
catch (Exception ex) {
throw new IdentityUnavailableException("Could not extract identity from object " + object, ex);
}
}
/**
* Important so caching operates properly.
@ -105,49 +93,42 @@ public class ObjectIdentityImpl implements ObjectIdentity {
* <p>
* Numeric identities (Integer and Long values) are considered equal if they are
* numerically equal. Other serializable types are evaluated using a simple equality.
*
* @param arg0 object to compare
*
* @param obj object to compare
* @return <code>true</code> if the presented object matches this object
*/
@Override
public boolean equals(Object arg0) {
if (arg0 == null || !(arg0 instanceof ObjectIdentityImpl)) {
public boolean equals(Object obj) {
if (obj == null || !(obj instanceof ObjectIdentityImpl)) {
return false;
}
ObjectIdentityImpl other = (ObjectIdentityImpl) arg0;
if (identifier instanceof Number && other.identifier instanceof Number) {
ObjectIdentityImpl other = (ObjectIdentityImpl) obj;
if (this.identifier instanceof Number && other.identifier instanceof Number) {
// Integers and Longs with same value should be considered equal
if (((Number) identifier).longValue() != ((Number) other.identifier)
.longValue()) {
if (((Number) this.identifier).longValue() != ((Number) other.identifier).longValue()) {
return false;
}
}
else {
// Use plain equality for other serializable types
if (!identifier.equals(other.identifier)) {
if (!this.identifier.equals(other.identifier)) {
return false;
}
}
return type.equals(other.type);
return this.type.equals(other.type);
}
@Override
public Serializable getIdentifier() {
return identifier;
return this.identifier;
}
@Override
public String getType() {
return type;
return this.type;
}
/**
* Important so caching operates properly.
*
* @return the hash
*/
@Override
@ -163,7 +144,7 @@ public class ObjectIdentityImpl implements ObjectIdentity {
sb.append(this.getClass().getName()).append("[");
sb.append("Type: ").append(this.type);
sb.append("; Identifier: ").append(this.identifier).append("]");
return sb.toString();
}
}

8
acl/src/main/java/org/springframework/security/acls/domain/ObjectIdentityRetrievalStrategyImpl.java
View File

@ -29,16 +29,16 @@ import org.springframework.security.acls.model.ObjectIdentityRetrievalStrategy;
*
* @author Ben Alex
*/
public class ObjectIdentityRetrievalStrategyImpl implements
ObjectIdentityRetrievalStrategy, ObjectIdentityGenerator {
// ~ Methods
// ========================================================================================================
public class ObjectIdentityRetrievalStrategyImpl implements ObjectIdentityRetrievalStrategy, ObjectIdentityGenerator {
@Override
public ObjectIdentity getObjectIdentity(Object domainObject) {
return new ObjectIdentityImpl(domainObject);
}
@Override
public ObjectIdentity createObjectIdentity(Serializable id, String type) {
return new ObjectIdentityImpl(type, id);
}
}

5
acl/src/main/java/org/springframework/security/acls/domain/PermissionFactory.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.domain;
import java.util.List;
@ -25,16 +26,13 @@ import org.springframework.security.acls.model.Permission;
*
* @author Ben Alex
* @since 2.0.3
*
*/
public interface PermissionFactory {
/**
* Dynamically creates a <code>CumulativePermission</code> or
* <code>BasePermission</code> representing the active bits in the passed mask.
*
* @param mask to build
*
* @return a Permission representing the requested object
*/
Permission buildFromMask(int mask);
@ -42,4 +40,5 @@ public interface PermissionFactory {
Permission buildFromName(String name);
List<Permission> buildFromNames(List<String> names);
}

15
acl/src/main/java/org/springframework/security/acls/domain/PrincipalSid.java
View File

@ -13,11 +13,11 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.domain;
import org.springframework.security.acls.model.Sid;
import org.springframework.security.core.Authentication;
import org.springframework.util.Assert;
/**
@ -31,14 +31,9 @@ import org.springframework.util.Assert;
* @author Ben Alex
*/
public class PrincipalSid implements Sid {
// ~ Instance fields
// ================================================================================================
private final String principal;
// ~ Constructors
// ===================================================================================================
public PrincipalSid(String principal) {
Assert.hasText(principal, "Principal required");
this.principal = principal;
@ -47,19 +42,14 @@ public class PrincipalSid implements Sid {
public PrincipalSid(Authentication authentication) {
Assert.notNull(authentication, "Authentication required");
Assert.notNull(authentication.getPrincipal(), "Principal required");
this.principal = authentication.getName();
}
// ~ Methods
// ========================================================================================================
@Override
public boolean equals(Object object) {
if ((object == null) || !(object instanceof PrincipalSid)) {
return false;
}
// Delegate to getPrincipal() to perform actual comparison (both should be
// identical)
return ((PrincipalSid) object).getPrincipal().equals(this.getPrincipal());
@ -71,11 +61,12 @@ public class PrincipalSid implements Sid {
}
public String getPrincipal() {
return principal;
return this.principal;
}
@Override
public String toString() {
return "PrincipalSid[" + this.principal + "]";
}
}

10
acl/src/main/java/org/springframework/security/acls/domain/SidRetrievalStrategyImpl.java
View File

@ -51,20 +51,16 @@ public class SidRetrievalStrategyImpl implements SidRetrievalStrategy {
this.roleHierarchy = roleHierarchy;
}
// ~ Methods
// ========================================================================================================
@Override
public List<Sid> getSids(Authentication authentication) {
Collection<? extends GrantedAuthority> authorities = roleHierarchy
Collection<? extends GrantedAuthority> authorities = this.roleHierarchy
.getReachableGrantedAuthorities(authentication.getAuthorities());
List<Sid> sids = new ArrayList<>(authorities.size() + 1);
sids.add(new PrincipalSid(authentication));
for (GrantedAuthority authority : authorities) {
sids.add(new GrantedAuthoritySid(authority));
}
return sids;
}
}

56
acl/src/main/java/org/springframework/security/acls/domain/SpringCacheBasedAclCache.java
View File

@ -13,8 +13,11 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.domain;
import java.io.Serializable;
import org.springframework.cache.Cache;
import org.springframework.security.acls.model.AclCache;
import org.springframework.security.acls.model.MutableAcl;
@ -23,8 +26,6 @@ import org.springframework.security.acls.model.PermissionGrantingStrategy;
import org.springframework.security.util.FieldUtils;
import org.springframework.util.Assert;
import java.io.Serializable;
/**
* Simple implementation of {@link org.springframework.security.acls.model.AclCache} that
* delegates to {@link Cache} implementation.
@ -39,18 +40,14 @@ import java.io.Serializable;
* @since 3.2
*/
public class SpringCacheBasedAclCache implements AclCache {
// ~ Instance fields
// ================================================================================================
private final Cache cache;
private PermissionGrantingStrategy permissionGrantingStrategy;
private AclAuthorizationStrategy aclAuthorizationStrategy;
// ~ Constructors
// ===================================================================================================
public SpringCacheBasedAclCache(Cache cache,
PermissionGrantingStrategy permissionGrantingStrategy,
public SpringCacheBasedAclCache(Cache cache, PermissionGrantingStrategy permissionGrantingStrategy,
AclAuthorizationStrategy aclAuthorizationStrategy) {
Assert.notNull(cache, "Cache required");
Assert.notNull(permissionGrantingStrategy, "PermissionGrantingStrategy required");
@ -60,79 +57,72 @@ public class SpringCacheBasedAclCache implements AclCache {
this.aclAuthorizationStrategy = aclAuthorizationStrategy;
}
// ~ Methods
// ========================================================================================================
@Override
public void evictFromCache(Serializable pk) {
Assert.notNull(pk, "Primary key (identifier) required");
MutableAcl acl = getFromCache(pk);
if (acl != null) {
cache.evict(acl.getId());
cache.evict(acl.getObjectIdentity());
this.cache.evict(acl.getId());
this.cache.evict(acl.getObjectIdentity());
}
}
@Override
public void evictFromCache(ObjectIdentity objectIdentity) {
Assert.notNull(objectIdentity, "ObjectIdentity required");
MutableAcl acl = getFromCache(objectIdentity);
if (acl != null) {
cache.evict(acl.getId());
cache.evict(acl.getObjectIdentity());
this.cache.evict(acl.getId());
this.cache.evict(acl.getObjectIdentity());
}
}
@Override
public MutableAcl getFromCache(ObjectIdentity objectIdentity) {
Assert.notNull(objectIdentity, "ObjectIdentity required");
return getFromCache((Object) objectIdentity);
}
@Override
public MutableAcl getFromCache(Serializable pk) {
Assert.notNull(pk, "Primary key (identifier) required");
return getFromCache((Object) pk);
}
@Override
public void putInCache(MutableAcl acl) {
Assert.notNull(acl, "Acl required");
Assert.notNull(acl.getObjectIdentity(), "ObjectIdentity required");
Assert.notNull(acl.getId(), "ID required");
if ((acl.getParentAcl() != null) && (acl.getParentAcl() instanceof MutableAcl)) {
putInCache((MutableAcl) acl.getParentAcl());
}
cache.put(acl.getObjectIdentity(), acl);
cache.put(acl.getId(), acl);
this.cache.put(acl.getObjectIdentity(), acl);
this.cache.put(acl.getId(), acl);
}
private MutableAcl getFromCache(Object key) {
Cache.ValueWrapper element = cache.get(key);
Cache.ValueWrapper element = this.cache.get(key);
if (element == null) {
return null;
}
return initializeTransientFields((MutableAcl) element.get());
}
private MutableAcl initializeTransientFields(MutableAcl value) {
if (value instanceof AclImpl) {
FieldUtils.setProtectedFieldValue("aclAuthorizationStrategy", value,
this.aclAuthorizationStrategy);
FieldUtils.setProtectedFieldValue("permissionGrantingStrategy", value,
this.permissionGrantingStrategy);
FieldUtils.setProtectedFieldValue("aclAuthorizationStrategy", value, this.aclAuthorizationStrategy);
FieldUtils.setProtectedFieldValue("permissionGrantingStrategy", value, this.permissionGrantingStrategy);
}
if (value.getParentAcl() != null) {
initializeTransientFields((MutableAcl) value.getParentAcl());
}
return value;
}
@Override
public void clearCache() {
cache.clear();
this.cache.clear();
}
}

2
acl/src/main/java/org/springframework/security/acls/domain/package-info.java
View File

@ -13,8 +13,8 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/**
* Basic implementation of access control lists (ACLs) interfaces.
*/
package org.springframework.security.acls.domain;

85
acl/src/main/java/org/springframework/security/acls/jdbc/AclClassIdUtils.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.jdbc;
import java.io.Serializable;
@ -22,6 +23,7 @@ import java.util.UUID;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.core.convert.ConversionFailedException;
import org.springframework.core.convert.ConversionService;
import org.springframework.core.convert.TypeDescriptor;
@ -31,12 +33,16 @@ import org.springframework.security.acls.model.ObjectIdentity;
import org.springframework.util.Assert;
/**
* Utility class for helping convert database representations of {@link ObjectIdentity#getIdentifier()} into
* the correct Java type as specified by <code>acl_class.class_id_type</code>.
* Utility class for helping convert database representations of
* {@link ObjectIdentity#getIdentifier()} into the correct Java type as specified by
* <code>acl_class.class_id_type</code>.
*
* @author paulwheeler
*/
class AclClassIdUtils {
private static final String DEFAULT_CLASS_ID_TYPE_COLUMN_NAME = "class_id_type";
private static final Log log = LogFactory.getLog(AclClassIdUtils.class);
private ConversionService conversionService;
@ -54,88 +60,85 @@ class AclClassIdUtils {
}
/**
* Converts the raw type from the database into the right Java type. For most applications the 'raw type' will be Long, for some applications
* it could be String.
* Converts the raw type from the database into the right Java type. For most
* applications the 'raw type' will be Long, for some applications it could be String.
* @param identifier The identifier from the database
* @param resultSet Result set of the query
* @param resultSet Result set of the query
* @return The identifier in the appropriate target Java type. Typically Long or UUID.
* @throws SQLException
*/
Serializable identifierFrom(Serializable identifier, ResultSet resultSet) throws SQLException {
if (isString(identifier) && hasValidClassIdType(resultSet)
&& canConvertFromStringTo(classIdTypeFrom(resultSet))) {
identifier = convertFromStringTo((String) identifier, classIdTypeFrom(resultSet));
} else {
// Assume it should be a Long type
identifier = convertToLong(identifier);
&& canConvertFromStringTo(classIdTypeFrom(resultSet))) {
return convertFromStringTo((String) identifier, classIdTypeFrom(resultSet));
}
return identifier;
// Assume it should be a Long type
return convertToLong(identifier);
}
private boolean hasValidClassIdType(ResultSet resultSet) {
boolean hasClassIdType = false;
try {
hasClassIdType = classIdTypeFrom(resultSet) != null;
} catch (SQLException e) {
log.debug("Unable to obtain the class id type", e);
return classIdTypeFrom(resultSet) != null;
}
catch (SQLException ex) {
log.debug("Unable to obtain the class id type", ex);
return false;
}
return hasClassIdType;
}
private <T extends Serializable> Class<T> classIdTypeFrom(ResultSet resultSet) throws SQLException {
private <T extends Serializable> Class<T> classIdTypeFrom(ResultSet resultSet) throws SQLException {
return classIdTypeFrom(resultSet.getString(DEFAULT_CLASS_ID_TYPE_COLUMN_NAME));
}
private <T extends Serializable> Class<T> classIdTypeFrom(String className) {
Class targetType = null;
if (className != null) {
try {
targetType = Class.forName(className);
} catch (ClassNotFoundException e) {
log.debug("Unable to find class id type on classpath", e);
}
if (className == null) {
return null;
}
try {
return (Class) Class.forName(className);
}
catch (ClassNotFoundException ex) {
log.debug("Unable to find class id type on classpath", ex);
return null;
}
return targetType;
}
private <T> boolean canConvertFromStringTo(Class<T> targetType) {
return conversionService.canConvert(String.class, targetType);
return this.conversionService.canConvert(String.class, targetType);
}
private <T extends Serializable> T convertFromStringTo(String identifier, Class<T> targetType) {
return conversionService.convert(identifier, targetType);
return this.conversionService.convert(identifier, targetType);
}
/**
* Converts to a {@link Long}, attempting to use the {@link ConversionService} if available.
* @param identifier The identifier
* Converts to a {@link Long}, attempting to use the {@link ConversionService} if
* available.
* @param identifier The identifier
* @return Long version of the identifier
* @throws NumberFormatException if the string cannot be parsed to a long.
* @throws org.springframework.core.convert.ConversionException if a conversion exception occurred
* @throws org.springframework.core.convert.ConversionException if a conversion
* exception occurred
* @throws IllegalArgumentException if targetType is null
*/
private Long convertToLong(Serializable identifier) {
Long idAsLong;
if (conversionService.canConvert(identifier.getClass(), Long.class)) {
idAsLong = conversionService.convert(identifier, Long.class);
} else {
idAsLong = Long.valueOf(identifier.toString());
if (this.conversionService.canConvert(identifier.getClass(), Long.class)) {
return this.conversionService.convert(identifier, Long.class);
}
return idAsLong;
return Long.valueOf(identifier.toString());
}
private boolean isString(Serializable object) {
return object.getClass().isAssignableFrom(String.class);
}
public void setConversionService(ConversionService conversionService) {
void setConversionService(ConversionService conversionService) {
Assert.notNull(conversionService, "conversionService must not be null");
this.conversionService = conversionService;
}
private static class StringToLongConverter implements Converter<String, Long> {
@Override
public Long convert(String identifierAsString) {
if (identifierAsString == null) {
@ -145,9 +148,11 @@ class AclClassIdUtils {
}
return Long.parseLong(identifierAsString);
}
}
private static class StringToUUIDConverter implements Converter<String, UUID> {
@Override
public UUID convert(String identifierAsString) {
if (identifierAsString == null) {
@ -157,5 +162,7 @@ class AclClassIdUtils {
}
return UUID.fromString(identifierAsString);
}
}
}

352
acl/src/main/java/org/springframework/security/acls/jdbc/BasicLookupStrategy.java
View File

@ -13,10 +13,12 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.jdbc;
import java.io.Serializable;
import java.lang.reflect.Field;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.ArrayList;
@ -68,9 +70,9 @@ import org.springframework.util.Assert;
* as it is likely to change in future releases and therefore subclassing is unsupported.
* <p>
* There are two SQL queries executed, one in the <tt>lookupPrimaryKeys</tt> method and
* one in <tt>lookupObjectIdentities</tt>. These are built from the same select and
* "order by" clause, using a different where clause in each case. In order to use custom
* schema or column names, each of these SQL clauses can be customized, but they must be
* one in <tt>lookupObjectIdentities</tt>. These are built from the same select and "order
* by" clause, using a different where clause in each case. In order to use custom schema
* or column names, each of these SQL clauses can be customized, but they must be
* consistent with each other and with the expected result set generated by the the
* default values.
*
@ -78,183 +80,151 @@ import org.springframework.util.Assert;
*/
public class BasicLookupStrategy implements LookupStrategy {
private final static String DEFAULT_SELECT_CLAUSE_COLUMNS = "select acl_object_identity.object_id_identity, "
+ "acl_entry.ace_order, "
+ "acl_object_identity.id as acl_id, "
+ "acl_object_identity.parent_object, "
+ "acl_object_identity.entries_inheriting, "
+ "acl_entry.id as ace_id, "
+ "acl_entry.mask, "
+ "acl_entry.granting, "
+ "acl_entry.audit_success, "
+ "acl_entry.audit_failure, "
+ "acl_sid.principal as ace_principal, "
+ "acl_sid.sid as ace_sid, "
+ "acli_sid.principal as acl_principal, "
+ "acli_sid.sid as acl_sid, "
+ "acl_class.class ";
private final static String DEFAULT_SELECT_CLAUSE_ACL_CLASS_ID_TYPE_COLUMN = ", acl_class.class_id_type ";
private final static String DEFAULT_SELECT_CLAUSE_FROM = "from acl_object_identity "
private static final String DEFAULT_SELECT_CLAUSE_COLUMNS = "select acl_object_identity.object_id_identity, "
+ "acl_entry.ace_order, " + "acl_object_identity.id as acl_id, " + "acl_object_identity.parent_object, "
+ "acl_object_identity.entries_inheriting, " + "acl_entry.id as ace_id, " + "acl_entry.mask, "
+ "acl_entry.granting, " + "acl_entry.audit_success, " + "acl_entry.audit_failure, "
+ "acl_sid.principal as ace_principal, " + "acl_sid.sid as ace_sid, "
+ "acli_sid.principal as acl_principal, " + "acli_sid.sid as acl_sid, " + "acl_class.class ";
private static final String DEFAULT_SELECT_CLAUSE_ACL_CLASS_ID_TYPE_COLUMN = ", acl_class.class_id_type ";
private static final String DEFAULT_SELECT_CLAUSE_FROM = "from acl_object_identity "
+ "left join acl_sid acli_sid on acli_sid.id = acl_object_identity.owner_sid "
+ "left join acl_class on acl_class.id = acl_object_identity.object_id_class "
+ "left join acl_entry on acl_object_identity.id = acl_entry.acl_object_identity "
+ "left join acl_sid on acl_entry.sid = acl_sid.id " + "where ( ";
public final static String DEFAULT_SELECT_CLAUSE = DEFAULT_SELECT_CLAUSE_COLUMNS + DEFAULT_SELECT_CLAUSE_FROM;
public static final String DEFAULT_SELECT_CLAUSE = DEFAULT_SELECT_CLAUSE_COLUMNS + DEFAULT_SELECT_CLAUSE_FROM;
public final static String DEFAULT_ACL_CLASS_ID_SELECT_CLAUSE = DEFAULT_SELECT_CLAUSE_COLUMNS +
DEFAULT_SELECT_CLAUSE_ACL_CLASS_ID_TYPE_COLUMN + DEFAULT_SELECT_CLAUSE_FROM;
public static final String DEFAULT_ACL_CLASS_ID_SELECT_CLAUSE = DEFAULT_SELECT_CLAUSE_COLUMNS
+ DEFAULT_SELECT_CLAUSE_ACL_CLASS_ID_TYPE_COLUMN + DEFAULT_SELECT_CLAUSE_FROM;
private final static String DEFAULT_LOOKUP_KEYS_WHERE_CLAUSE = "(acl_object_identity.id = ?)";
private static final String DEFAULT_LOOKUP_KEYS_WHERE_CLAUSE = "(acl_object_identity.id = ?)";
private final static String DEFAULT_LOOKUP_IDENTITIES_WHERE_CLAUSE = "(acl_object_identity.object_id_identity = ? and acl_class.class = ?)";
private static final String DEFAULT_LOOKUP_IDENTITIES_WHERE_CLAUSE = "(acl_object_identity.object_id_identity = ? and acl_class.class = ?)";
public final static String DEFAULT_ORDER_BY_CLAUSE = ") order by acl_object_identity.object_id_identity"
public static final String DEFAULT_ORDER_BY_CLAUSE = ") order by acl_object_identity.object_id_identity"
+ " asc, acl_entry.ace_order asc";
// ~ Instance fields
// ================================================================================================
private final AclAuthorizationStrategy aclAuthorizationStrategy;
private PermissionFactory permissionFactory = new DefaultPermissionFactory();
private final AclCache aclCache;
private final PermissionGrantingStrategy grantingStrategy;
private final JdbcTemplate jdbcTemplate;
private int batchSize = 50;
private final Field fieldAces = FieldUtils.getField(AclImpl.class, "aces");
private final Field fieldAcl = FieldUtils.getField(AccessControlEntryImpl.class,
"acl");
private final Field fieldAcl = FieldUtils.getField(AccessControlEntryImpl.class, "acl");
// SQL Customization fields
private String selectClause = DEFAULT_SELECT_CLAUSE;
private String lookupPrimaryKeysWhereClause = DEFAULT_LOOKUP_KEYS_WHERE_CLAUSE;
private String lookupObjectIdentitiesWhereClause = DEFAULT_LOOKUP_IDENTITIES_WHERE_CLAUSE;
private String orderByClause = DEFAULT_ORDER_BY_CLAUSE;
private AclClassIdUtils aclClassIdUtils;
// ~ Constructors
// ===================================================================================================
/**
* Constructor accepting mandatory arguments
*
* @param dataSource to access the database
* @param aclCache the cache where fully-loaded elements can be stored
* @param aclAuthorizationStrategy authorization strategy (required)
*/
public BasicLookupStrategy(DataSource dataSource, AclCache aclCache,
AclAuthorizationStrategy aclAuthorizationStrategy, AuditLogger auditLogger) {
this(dataSource, aclCache, aclAuthorizationStrategy,
new DefaultPermissionGrantingStrategy(auditLogger));
this(dataSource, aclCache, aclAuthorizationStrategy, new DefaultPermissionGrantingStrategy(auditLogger));
}
/**
* Creates a new instance
*
* @param dataSource to access the database
* @param aclCache the cache where fully-loaded elements can be stored
* @param aclAuthorizationStrategy authorization strategy (required)
* @param grantingStrategy the PermissionGrantingStrategy
*/
public BasicLookupStrategy(DataSource dataSource, AclCache aclCache,
AclAuthorizationStrategy aclAuthorizationStrategy,
PermissionGrantingStrategy grantingStrategy) {
AclAuthorizationStrategy aclAuthorizationStrategy, PermissionGrantingStrategy grantingStrategy) {
Assert.notNull(dataSource, "DataSource required");
Assert.notNull(aclCache, "AclCache required");
Assert.notNull(aclAuthorizationStrategy, "AclAuthorizationStrategy required");
Assert.notNull(grantingStrategy, "grantingStrategy required");
jdbcTemplate = new JdbcTemplate(dataSource);
this.jdbcTemplate = new JdbcTemplate(dataSource);
this.aclCache = aclCache;
this.aclAuthorizationStrategy = aclAuthorizationStrategy;
this.grantingStrategy = grantingStrategy;
this.aclClassIdUtils = new AclClassIdUtils();
fieldAces.setAccessible(true);
fieldAcl.setAccessible(true);
this.fieldAces.setAccessible(true);
this.fieldAcl.setAccessible(true);
}
// ~ Methods
// ========================================================================================================
private String computeRepeatingSql(String repeatingSql, int requiredRepetitions) {
assert requiredRepetitions > 0 : "requiredRepetitions must be > 0";
final String startSql = selectClause;
final String endSql = orderByClause;
StringBuilder sqlStringBldr = new StringBuilder(startSql.length()
+ endSql.length() + requiredRepetitions * (repeatingSql.length() + 4));
Assert.isTrue(requiredRepetitions > 0, "requiredRepetitions must be > 0");
String startSql = this.selectClause;
String endSql = this.orderByClause;
StringBuilder sqlStringBldr = new StringBuilder(
startSql.length() + endSql.length() + requiredRepetitions * (repeatingSql.length() + 4));
sqlStringBldr.append(startSql);
for (int i = 1; i <= requiredRepetitions; i++) {
sqlStringBldr.append(repeatingSql);
if (i != requiredRepetitions) {
sqlStringBldr.append(" or ");
}
}
sqlStringBldr.append(endSql);
return sqlStringBldr.toString();
}
@SuppressWarnings("unchecked")
private List<AccessControlEntryImpl> readAces(AclImpl acl) {
try {
return (List<AccessControlEntryImpl>) fieldAces.get(acl);
return (List<AccessControlEntryImpl>) this.fieldAces.get(acl);
}
catch (IllegalAccessException e) {
throw new IllegalStateException("Could not obtain AclImpl.aces field", e);
catch (IllegalAccessException ex) {
throw new IllegalStateException("Could not obtain AclImpl.aces field", ex);
}
}
private void setAclOnAce(AccessControlEntryImpl ace, AclImpl acl) {
try {
fieldAcl.set(ace, acl);
this.fieldAcl.set(ace, acl);
}
catch (IllegalAccessException e) {
throw new IllegalStateException(
"Could not or set AclImpl on AccessControlEntryImpl fields", e);
catch (IllegalAccessException ex) {
throw new IllegalStateException("Could not or set AclImpl on AccessControlEntryImpl fields", ex);
}
}
private void setAces(AclImpl acl, List<AccessControlEntryImpl> aces) {
try {
fieldAces.set(acl, aces);
this.fieldAces.set(acl, aces);
}
catch (IllegalAccessException e) {
throw new IllegalStateException("Could not set AclImpl entries", e);
catch (IllegalAccessException ex) {
throw new IllegalStateException("Could not set AclImpl entries", ex);
}
}
/**
* Locates the primary key IDs specified in "findNow", adding AclImpl instances with
* StubAclParents to the "acls" Map.
*
* @param acls the AclImpls (with StubAclParents)
* @param findNow Long-based primary keys to retrieve
* @param sids
*/
private void lookupPrimaryKeys(final Map<Serializable, Acl> acls,
final Set<Long> findNow, final List<Sid> sids) {
private void lookupPrimaryKeys(final Map<Serializable, Acl> acls, final Set<Long> findNow, final List<Sid> sids) {
Assert.notNull(acls, "ACLs are required");
Assert.notEmpty(findNow, "Items to find now required");
String sql = computeRepeatingSql(lookupPrimaryKeysWhereClause, findNow.size());
Set<Long> parentsToLookup = jdbcTemplate.query(sql,
ps -> {
int i = 0;
for (Long toFind : findNow) {
i++;
ps.setLong(i, toFind);
}
}, new ProcessResultSet(acls, sids));
String sql = computeRepeatingSql(this.lookupPrimaryKeysWhereClause, findNow.size());
Set<Long> parentsToLookup = this.jdbcTemplate.query(sql, (ps) -> setKeys(ps, findNow),
new ProcessResultSet(acls, sids));
// Lookup the parents, now that our JdbcTemplate has released the database
// connection (SEC-547)
if (parentsToLookup.size() > 0) {
@ -262,6 +232,14 @@ public class BasicLookupStrategy implements LookupStrategy {
}
}
private void setKeys(PreparedStatement ps, Set<Long> findNow) throws SQLException {
int i = 0;
for (Long toFind : findNow) {
i++;
ps.setLong(i, toFind);
}
}
/**
* The main method.
* <p>
@ -271,85 +249,61 @@ public class BasicLookupStrategy implements LookupStrategy {
* develop a custom {@link LookupStrategy} implementation instead.
* <p>
* The implementation works in batch sizes specified by {@link #batchSize}.
*
* @param objects the identities to lookup (required)
* @param sids the SIDs for which identities are required (ignored by this
* implementation)
*
* @return a <tt>Map</tt> where keys represent the {@link ObjectIdentity} of the
* located {@link Acl} and values are the located {@link Acl} (never <tt>null</tt>
* although some entries may be missing; this method should not throw
* {@link NotFoundException}, as a chain of {@link LookupStrategy}s may be used to
* automatically create entries if required)
*/
public final Map<ObjectIdentity, Acl> readAclsById(List<ObjectIdentity> objects,
List<Sid> sids) {
Assert.isTrue(batchSize >= 1, "BatchSize must be >= 1");
@Override
public final Map<ObjectIdentity, Acl> readAclsById(List<ObjectIdentity> objects, List<Sid> sids) {
Assert.isTrue(this.batchSize >= 1, "BatchSize must be >= 1");
Assert.notEmpty(objects, "Objects to lookup required");
// Map<ObjectIdentity,Acl>
Map<ObjectIdentity, Acl> result = new HashMap<>(); // contains
// FULLY
// loaded
// Acl
// objects
// contains FULLY loaded Acl objects
Map<ObjectIdentity, Acl> result = new HashMap<>();
Set<ObjectIdentity> currentBatchToLoad = new HashSet<>();
for (int i = 0; i < objects.size(); i++) {
final ObjectIdentity oid = objects.get(i);
boolean aclFound = false;
// Check we don't already have this ACL in the results
if (result.containsKey(oid)) {
aclFound = true;
}
// Check cache for the present ACL entry
if (!aclFound) {
Acl acl = aclCache.getFromCache(oid);
Acl acl = this.aclCache.getFromCache(oid);
// Ensure any cached element supports all the requested SIDs
// (they should always, as our base impl doesn't filter on SID)
if (acl != null) {
if (acl.isSidLoaded(sids)) {
result.put(acl.getObjectIdentity(), acl);
aclFound = true;
}
else {
throw new IllegalStateException(
"Error: SID-filtered element detected when implementation does not perform SID filtering "
+ "- have you added something to the cache manually?");
}
Assert.state(acl.isSidLoaded(sids),
"Error: SID-filtered element detected when implementation does not perform SID filtering "
+ "- have you added something to the cache manually?");
result.put(acl.getObjectIdentity(), acl);
aclFound = true;
}
}
// Load the ACL from the database
if (!aclFound) {
currentBatchToLoad.add(oid);
}
// Is it time to load from JDBC the currentBatchToLoad?
if ((currentBatchToLoad.size() == this.batchSize)
|| ((i + 1) == objects.size())) {
if ((currentBatchToLoad.size() == this.batchSize) || ((i + 1) == objects.size())) {
if (currentBatchToLoad.size() > 0) {
Map<ObjectIdentity, Acl> loadedBatch = lookupObjectIdentities(
currentBatchToLoad, sids);
Map<ObjectIdentity, Acl> loadedBatch = lookupObjectIdentities(currentBatchToLoad, sids);
// Add loaded batch (all elements 100% initialized) to results
result.putAll(loadedBatch);
// Add the loaded batch to the cache
for (Acl loadedAcl : loadedBatch.values()) {
aclCache.putInCache((AclImpl) loadedAcl);
this.aclCache.putInCache((AclImpl) loadedAcl);
}
currentBatchToLoad.clear();
}
}
}
return result;
}
@ -362,39 +316,20 @@ public class BasicLookupStrategy implements LookupStrategy {
* <p>
* This subclass is required to return fully valid <code>Acl</code>s, including
* properly-configured parent ACLs.
*
*/
private Map<ObjectIdentity, Acl> lookupObjectIdentities(
final Collection<ObjectIdentity> objectIdentities, List<Sid> sids) {
private Map<ObjectIdentity, Acl> lookupObjectIdentities(final Collection<ObjectIdentity> objectIdentities,
List<Sid> sids) {
Assert.notEmpty(objectIdentities, "Must provide identities to lookup");
final Map<Serializable, Acl> acls = new HashMap<>(); // contains
// Acls
// with
// StubAclParents
// contains Acls with StubAclParents
Map<Serializable, Acl> acls = new HashMap<>();
// Make the "acls" map contain all requested objectIdentities
// (including markers to each parent in the hierarchy)
String sql = computeRepeatingSql(lookupObjectIdentitiesWhereClause,
objectIdentities.size());
String sql = computeRepeatingSql(this.lookupObjectIdentitiesWhereClause, objectIdentities.size());
Set<Long> parentsToLookup = jdbcTemplate.query(sql,
ps -> {
int i = 0;
for (ObjectIdentity oid : objectIdentities) {
// Determine prepared statement values for this iteration
String type = oid.getType();
// No need to check for nulls, as guaranteed non-null by
// ObjectIdentity.getIdentifier() interface contract
String identifier = oid.getIdentifier().toString();
// Inject values
ps.setString((2 * i) + 1, identifier);
ps.setString((2 * i) + 2, type);
i++;
}
}, new ProcessResultSet(acls, sids));
Set<Long> parentsToLookup = this.jdbcTemplate.query(sql,
(ps) -> setupLookupObjectIdentitiesStatement(ps, objectIdentities), new ProcessResultSet(acls, sids));
// Lookup the parents, now that our JdbcTemplate has released the database
// connection (SEC-547)
@ -404,13 +339,9 @@ public class BasicLookupStrategy implements LookupStrategy {
// Finally, convert our "acls" containing StubAclParents into true Acls
Map<ObjectIdentity, Acl> resultMap = new HashMap<>();
for (Acl inputAcl : acls.values()) {
Assert.isInstanceOf(AclImpl.class, inputAcl,
"Map should have contained an AclImpl");
Assert.isInstanceOf(Long.class, ((AclImpl) inputAcl).getId(),
"Acl.getId() must be Long");
Assert.isInstanceOf(AclImpl.class, inputAcl, "Map should have contained an AclImpl");
Assert.isInstanceOf(Long.class, ((AclImpl) inputAcl).getId(), "Acl.getId() must be Long");
Acl result = convert(acls, (Long) ((AclImpl) inputAcl).getId());
resultMap.put(result.getObjectIdentity(), result);
}
@ -418,15 +349,31 @@ public class BasicLookupStrategy implements LookupStrategy {
return resultMap;
}
private void setupLookupObjectIdentitiesStatement(PreparedStatement ps, Collection<ObjectIdentity> objectIdentities)
throws SQLException {
int i = 0;
for (ObjectIdentity oid : objectIdentities) {
// Determine prepared statement values for this iteration
String type = oid.getType();
// No need to check for nulls, as guaranteed non-null by
// ObjectIdentity.getIdentifier() interface contract
String identifier = oid.getIdentifier().toString();
// Inject values
ps.setString((2 * i) + 1, identifier);
ps.setString((2 * i) + 2, type);
i++;
}
}
/**
* The final phase of converting the <code>Map</code> of <code>AclImpl</code>
* instances which contain <code>StubAclParent</code>s into proper, valid
* <code>AclImpl</code>s with correct ACL parents.
*
* @param inputMap the unconverted <code>AclImpl</code>s
* @param currentIdentity the current<code>Acl</code> that we wish to convert (this
* may be
*
*/
private AclImpl convert(Map<Serializable, Acl> inputMap, Long currentIdentity) {
Assert.notEmpty(inputMap, "InputMap required");
@ -434,8 +381,7 @@ public class BasicLookupStrategy implements LookupStrategy {
// Retrieve this Acl from the InputMap
Acl uncastAcl = inputMap.get(currentIdentity);
Assert.isInstanceOf(AclImpl.class, uncastAcl,
"The inputMap contained a non-AclImpl");
Assert.isInstanceOf(AclImpl.class, uncastAcl, "The inputMap contained a non-AclImpl");
AclImpl inputAcl = (AclImpl) uncastAcl;
@ -448,9 +394,8 @@ public class BasicLookupStrategy implements LookupStrategy {
}
// Now we have the parent (if there is one), create the true AclImpl
AclImpl result = new AclImpl(inputAcl.getObjectIdentity(),
inputAcl.getId(), aclAuthorizationStrategy, grantingStrategy,
parent, null, inputAcl.isEntriesInheriting(), inputAcl.getOwner());
AclImpl result = new AclImpl(inputAcl.getObjectIdentity(), inputAcl.getId(), this.aclAuthorizationStrategy,
this.grantingStrategy, parent, null, inputAcl.isEntriesInheriting(), inputAcl.getOwner());
// Copy the "aces" from the input to the destination
@ -477,7 +422,6 @@ public class BasicLookupStrategy implements LookupStrategy {
/**
* Creates a particular implementation of {@link Sid} depending on the arguments.
*
* @param sid the name of the sid representing its unique identifier. In typical ACL
* database schema it's located in table {@code acl_sid} table, {@code sid} column.
* @param isPrincipal whether it's a user or granted authority like role
@ -487,16 +431,13 @@ public class BasicLookupStrategy implements LookupStrategy {
if (isPrincipal) {
return new PrincipalSid(sid);
}
else {
return new GrantedAuthoritySid(sid);
}
return new GrantedAuthoritySid(sid);
}
/**
* Sets the {@code PermissionFactory} instance which will be used to convert loaded
* permission data values to {@code Permission}s. A {@code DefaultPermissionFactory}
* will be used by default.
*
* @param permissionFactory
*/
public final void setPermissionFactory(PermissionFactory permissionFactory) {
@ -510,7 +451,6 @@ public class BasicLookupStrategy implements LookupStrategy {
/**
* The SQL for the select clause. If customizing in order to modify column names,
* schema etc, the other SQL customization fields must also be set to match.
*
* @param selectClause the select clause, which defaults to
* {@link #DEFAULT_SELECT_CLAUSE}.
*/
@ -528,8 +468,7 @@ public class BasicLookupStrategy implements LookupStrategy {
/**
* The SQL for the where clause used in the <tt>lookupObjectIdentities</tt> method.
*/
public final void setLookupObjectIdentitiesWhereClause(
String lookupObjectIdentitiesWhereClause) {
public final void setLookupObjectIdentitiesWhereClause(String lookupObjectIdentitiesWhereClause) {
this.lookupObjectIdentitiesWhereClause = lookupObjectIdentitiesWhereClause;
}
@ -542,8 +481,9 @@ public class BasicLookupStrategy implements LookupStrategy {
public final void setAclClassIdSupported(boolean aclClassIdSupported) {
if (aclClassIdSupported) {
Assert.isTrue(this.selectClause.equals(DEFAULT_SELECT_CLAUSE), "Cannot set aclClassIdSupported and override the select clause; "
+ "just override the select clause");
Assert.isTrue(this.selectClause.equals(DEFAULT_SELECT_CLAUSE),
"Cannot set aclClassIdSupported and override the select clause; "
+ "just override the select clause");
this.selectClause = DEFAULT_ACL_CLASS_ID_SELECT_CLAUSE;
}
}
@ -552,11 +492,10 @@ public class BasicLookupStrategy implements LookupStrategy {
this.aclClassIdUtils = new AclClassIdUtils(conversionService);
}
// ~ Inner Classes
// ==================================================================================================
private class ProcessResultSet implements ResultSetExtractor<Set<Long>> {
private final Map<Serializable, Acl> acls;
private final List<Sid> sids;
ProcessResultSet(Map<Serializable, Acl> acls, List<Sid> sids) {
@ -575,32 +514,32 @@ public class BasicLookupStrategy implements LookupStrategy {
* <tt>null</tt>)
* @throws SQLException
*/
@Override
public Set<Long> extractData(ResultSet rs) throws SQLException {
Set<Long> parentIdsToLookup = new HashSet<>(); // Set of parent_id Longs
while (rs.next()) {
// Convert current row into an Acl (albeit with a StubAclParent)
convertCurrentResultIntoObject(acls, rs);
convertCurrentResultIntoObject(this.acls, rs);
// Figure out if this row means we need to lookup another parent
long parentId = rs.getLong("parent_object");
if (parentId != 0) {
// See if it's already in the "acls"
if (acls.containsKey(parentId)) {
if (this.acls.containsKey(parentId)) {
continue; // skip this while iteration
}
// Now try to find it in the cache
MutableAcl cached = aclCache.getFromCache(parentId);
if ((cached == null) || !cached.isSidLoaded(sids)) {
MutableAcl cached = BasicLookupStrategy.this.aclCache.getFromCache(parentId);
if ((cached == null) || !cached.isSidLoaded(this.sids)) {
parentIdsToLookup.add(parentId);
}
else {
// Pop into the acls map, so our convert method doesn't
// need to deal with an unsynchronized AclCache
acls.put(cached.getId(), cached);
this.acls.put(cached.getId(), cached);
}
}
}
@ -612,15 +551,12 @@ public class BasicLookupStrategy implements LookupStrategy {
/**
* Accepts the current <code>ResultSet</code> row, and converts it into an
* <code>AclImpl</code> that contains a <code>StubAclParent</code>
*
* @param acls the Map we should add the converted Acl to
* @param rs the ResultSet focused on a current row
*
* @throws SQLException if something goes wrong converting values
* @throws ConversionException if can't convert to the desired Java type
*/
private void convertCurrentResultIntoObject(Map<Serializable, Acl> acls,
ResultSet rs) throws SQLException {
private void convertCurrentResultIntoObject(Map<Serializable, Acl> acls, ResultSet rs) throws SQLException {
Long id = rs.getLong("acl_id");
// If we already have an ACL for this ID, just create the ACE
@ -629,11 +565,11 @@ public class BasicLookupStrategy implements LookupStrategy {
if (acl == null) {
// Make an AclImpl and pop it into the Map
// If the Java type is a String, check to see if we can convert it to the target id type, e.g. UUID.
// If the Java type is a String, check to see if we can convert it to the
// target id type, e.g. UUID.
Serializable identifier = (Serializable) rs.getObject("object_id_identity");
identifier = aclClassIdUtils.identifierFrom(identifier, rs);
ObjectIdentity objectIdentity = new ObjectIdentityImpl(
rs.getString("class"), identifier);
identifier = BasicLookupStrategy.this.aclClassIdUtils.identifierFrom(identifier, rs);
ObjectIdentity objectIdentity = new ObjectIdentityImpl(rs.getString("class"), identifier);
Acl parentAcl = null;
long parentAclId = rs.getLong("parent_object");
@ -643,11 +579,10 @@ public class BasicLookupStrategy implements LookupStrategy {
}
boolean entriesInheriting = rs.getBoolean("entries_inheriting");
Sid owner = createSid(rs.getBoolean("acl_principal"),
rs.getString("acl_sid"));
Sid owner = createSid(rs.getBoolean("acl_principal"), rs.getString("acl_sid"));
acl = new AclImpl(objectIdentity, id, aclAuthorizationStrategy,
grantingStrategy, parentAcl, null, entriesInheriting, owner);
acl = new AclImpl(objectIdentity, id, BasicLookupStrategy.this.aclAuthorizationStrategy,
BasicLookupStrategy.this.grantingStrategy, parentAcl, null, entriesInheriting, owner);
acls.put(id, acl);
}
@ -657,17 +592,16 @@ public class BasicLookupStrategy implements LookupStrategy {
// ACE_SID)
if (rs.getString("ace_sid") != null) {
Long aceId = rs.getLong("ace_id");
Sid recipient = createSid(rs.getBoolean("ace_principal"),
rs.getString("ace_sid"));
Sid recipient = createSid(rs.getBoolean("ace_principal"), rs.getString("ace_sid"));
int mask = rs.getInt("mask");
Permission permission = permissionFactory.buildFromMask(mask);
Permission permission = BasicLookupStrategy.this.permissionFactory.buildFromMask(mask);
boolean granting = rs.getBoolean("granting");
boolean auditSuccess = rs.getBoolean("audit_success");
boolean auditFailure = rs.getBoolean("audit_failure");
AccessControlEntryImpl ace = new AccessControlEntryImpl(aceId, acl,
recipient, permission, granting, auditSuccess, auditFailure);
AccessControlEntryImpl ace = new AccessControlEntryImpl(aceId, acl, recipient, permission, granting,
auditSuccess, auditFailure);
// Field acesField = FieldUtils.getField(AclImpl.class, "aces");
List<AccessControlEntryImpl> aces = readAces((AclImpl) acl);
@ -678,47 +612,57 @@ public class BasicLookupStrategy implements LookupStrategy {
}
}
}
}
private static class StubAclParent implements Acl {
private final Long id;
StubAclParent(Long id) {
this.id = id;
}
Long getId() {
return this.id;
}
@Override
public List<AccessControlEntry> getEntries() {
throw new UnsupportedOperationException("Stub only");
}
public Long getId() {
return id;
}
@Override
public ObjectIdentity getObjectIdentity() {
throw new UnsupportedOperationException("Stub only");
}
@Override
public Sid getOwner() {
throw new UnsupportedOperationException("Stub only");
}
@Override
public Acl getParentAcl() {
throw new UnsupportedOperationException("Stub only");
}
@Override
public boolean isEntriesInheriting() {
throw new UnsupportedOperationException("Stub only");
}
public boolean isGranted(List<Permission> permission, List<Sid> sids,
boolean administrativeMode) throws NotFoundException,
UnloadedSidException {
@Override
public boolean isGranted(List<Permission> permission, List<Sid> sids, boolean administrativeMode)
throws NotFoundException, UnloadedSidException {
throw new UnsupportedOperationException("Stub only");
}
@Override
public boolean isSidLoaded(List<Sid> sids) {
throw new UnsupportedOperationException("Stub only");
}
}
}

98
acl/src/main/java/org/springframework/security/acls/jdbc/JdbcAclService.java
View File

@ -13,9 +13,12 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.jdbc;
import java.io.Serializable;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.Collections;
import java.util.List;
import java.util.Map;
@ -24,6 +27,7 @@ import javax.sql.DataSource;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.core.convert.ConversionService;
import org.springframework.jdbc.core.JdbcOperations;
import org.springframework.jdbc.core.JdbcTemplate;
@ -45,34 +49,37 @@ import org.springframework.util.Assert;
* @author Ben Alex
*/
public class JdbcAclService implements AclService {
// ~ Static fields/initializers
// =====================================================================================
protected static final Log log = LogFactory.getLog(JdbcAclService.class);
private static final String DEFAULT_SELECT_ACL_CLASS_COLUMNS = "class.class as class";
private static final String DEFAULT_SELECT_ACL_CLASS_COLUMNS_WITH_ID_TYPE = DEFAULT_SELECT_ACL_CLASS_COLUMNS + ", class.class_id_type as class_id_type";
private static final String DEFAULT_SELECT_ACL_WITH_PARENT_SQL = "select obj.object_id_identity as obj_id, " + DEFAULT_SELECT_ACL_CLASS_COLUMNS
+ " from acl_object_identity obj, acl_object_identity parent, acl_class class "
+ "where obj.parent_object = parent.id and obj.object_id_class = class.id "
+ "and parent.object_id_identity = ? and parent.object_id_class = ("
+ "select id FROM acl_class where acl_class.class = ?)";
private static final String DEFAULT_SELECT_ACL_WITH_PARENT_SQL_WITH_CLASS_ID_TYPE = "select obj.object_id_identity as obj_id, " + DEFAULT_SELECT_ACL_CLASS_COLUMNS_WITH_ID_TYPE
private static final String DEFAULT_SELECT_ACL_CLASS_COLUMNS_WITH_ID_TYPE = DEFAULT_SELECT_ACL_CLASS_COLUMNS
+ ", class.class_id_type as class_id_type";
private static final String DEFAULT_SELECT_ACL_WITH_PARENT_SQL = "select obj.object_id_identity as obj_id, "
+ DEFAULT_SELECT_ACL_CLASS_COLUMNS
+ " from acl_object_identity obj, acl_object_identity parent, acl_class class "
+ "where obj.parent_object = parent.id and obj.object_id_class = class.id "
+ "and parent.object_id_identity = ? and parent.object_id_class = ("
+ "select id FROM acl_class where acl_class.class = ?)";
// ~ Instance fields
// ================================================================================================
private static final String DEFAULT_SELECT_ACL_WITH_PARENT_SQL_WITH_CLASS_ID_TYPE = "select obj.object_id_identity as obj_id, "
+ DEFAULT_SELECT_ACL_CLASS_COLUMNS_WITH_ID_TYPE
+ " from acl_object_identity obj, acl_object_identity parent, acl_class class "
+ "where obj.parent_object = parent.id and obj.object_id_class = class.id "
+ "and parent.object_id_identity = ? and parent.object_id_class = ("
+ "select id FROM acl_class where acl_class.class = ?)";
protected final JdbcOperations jdbcOperations;
private final LookupStrategy lookupStrategy;
private boolean aclClassIdSupported;
private String findChildrenSql = DEFAULT_SELECT_ACL_WITH_PARENT_SQL;
private AclClassIdUtils aclClassIdUtils;
// ~ Constructors
// ===================================================================================================
private final LookupStrategy lookupStrategy;
private boolean aclClassIdSupported;
private String findChildrenSql = DEFAULT_SELECT_ACL_WITH_PARENT_SQL;
private AclClassIdUtils aclClassIdUtils;
public JdbcAclService(DataSource dataSource, LookupStrategy lookupStrategy) {
this(new JdbcTemplate(dataSource), lookupStrategy);
@ -86,64 +93,55 @@ public class JdbcAclService implements AclService {
this.aclClassIdUtils = new AclClassIdUtils();
}
// ~ Methods
// ========================================================================================================
@Override
public List<ObjectIdentity> findChildren(ObjectIdentity parentIdentity) {
Object[] args = { parentIdentity.getIdentifier().toString(), parentIdentity.getType() };
List<ObjectIdentity> objects = jdbcOperations.query(findChildrenSql, args,
(rs, rowNum) -> {
String javaType = rs.getString("class");
Serializable identifier = (Serializable) rs.getObject("obj_id");
identifier = aclClassIdUtils.identifierFrom(identifier, rs);
return new ObjectIdentityImpl(javaType, identifier);
});
if (objects.isEmpty()) {
return null;
}
return objects;
List<ObjectIdentity> objects = this.jdbcOperations.query(this.findChildrenSql, args,
(rs, rowNum) -> mapObjectIdentityRow(rs));
return (!objects.isEmpty()) ? objects : null;
}
public Acl readAclById(ObjectIdentity object, List<Sid> sids)
throws NotFoundException {
private ObjectIdentity mapObjectIdentityRow(ResultSet rs) throws SQLException {
String javaType = rs.getString("class");
Serializable identifier = (Serializable) rs.getObject("obj_id");
identifier = this.aclClassIdUtils.identifierFrom(identifier, rs);
return new ObjectIdentityImpl(javaType, identifier);
}
@Override
public Acl readAclById(ObjectIdentity object, List<Sid> sids) throws NotFoundException {
Map<ObjectIdentity, Acl> map = readAclsById(Collections.singletonList(object), sids);
Assert.isTrue(map.containsKey(object),
() -> "There should have been an Acl entry for ObjectIdentity " + object);
return map.get(object);
}
@Override
public Acl readAclById(ObjectIdentity object) throws NotFoundException {
return readAclById(object, null);
}
public Map<ObjectIdentity, Acl> readAclsById(List<ObjectIdentity> objects)
throws NotFoundException {
@Override
public Map<ObjectIdentity, Acl> readAclsById(List<ObjectIdentity> objects) throws NotFoundException {
return readAclsById(objects, null);
}
public Map<ObjectIdentity, Acl> readAclsById(List<ObjectIdentity> objects,
List<Sid> sids) throws NotFoundException {
Map<ObjectIdentity, Acl> result = lookupStrategy.readAclsById(objects, sids);
@Override
public Map<ObjectIdentity, Acl> readAclsById(List<ObjectIdentity> objects, List<Sid> sids)
throws NotFoundException {
Map<ObjectIdentity, Acl> result = this.lookupStrategy.readAclsById(objects, sids);
// Check every requested object identity was found (throw NotFoundException if
// needed)
for (ObjectIdentity oid : objects) {
if (!result.containsKey(oid)) {
throw new NotFoundException(
"Unable to find ACL information for object identity '" + oid
+ "'");
throw new NotFoundException("Unable to find ACL information for object identity '" + oid + "'");
}
}
return result;
}
/**
* Allows customization of the SQL query used to find child object identities.
*
* @param findChildrenSql
*/
public void setFindChildrenQuery(String findChildrenSql) {
@ -156,7 +154,8 @@ public class JdbcAclService implements AclService {
// Change the default children select if it hasn't been overridden
if (this.findChildrenSql.equals(DEFAULT_SELECT_ACL_WITH_PARENT_SQL)) {
this.findChildrenSql = DEFAULT_SELECT_ACL_WITH_PARENT_SQL_WITH_CLASS_ID_TYPE;
} else {
}
else {
log.debug("Find children statement has already been overridden, so not overridding the default");
}
}
@ -167,6 +166,7 @@ public class JdbcAclService implements AclService {
}
protected boolean isAclClassIdSupported() {
return aclClassIdSupported;
return this.aclClassIdSupported;
}
}

174
acl/src/main/java/org/springframework/security/acls/jdbc/JdbcMutableAclService.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.jdbc;
import java.sql.PreparedStatement;
@ -58,55 +59,58 @@ import org.springframework.util.Assert;
* @author Johannes Zlattinger
*/
public class JdbcMutableAclService extends JdbcAclService implements MutableAclService {
private static final String DEFAULT_INSERT_INTO_ACL_CLASS = "insert into acl_class (class) values (?)";
private static final String DEFAULT_INSERT_INTO_ACL_CLASS_WITH_ID = "insert into acl_class (class, class_id_type) values (?, ?)";
// ~ Instance fields
// ================================================================================================
private boolean foreignKeysInDatabase = true;
private final AclCache aclCache;
private String deleteEntryByObjectIdentityForeignKey = "delete from acl_entry where acl_object_identity=?";
private String deleteObjectIdentityByPrimaryKey = "delete from acl_object_identity where id=?";
private String classIdentityQuery = "call identity()";
private String sidIdentityQuery = "call identity()";
private String insertClass = DEFAULT_INSERT_INTO_ACL_CLASS;
private String insertEntry = "insert into acl_entry "
+ "(acl_object_identity, ace_order, sid, mask, granting, audit_success, audit_failure)"
+ "values (?, ?, ?, ?, ?, ?, ?)";
private String insertObjectIdentity = "insert into acl_object_identity "
+ "(object_id_class, object_id_identity, owner_sid, entries_inheriting) "
+ "values (?, ?, ?, ?)";
+ "(object_id_class, object_id_identity, owner_sid, entries_inheriting) " + "values (?, ?, ?, ?)";
private String insertSid = "insert into acl_sid (principal, sid) values (?, ?)";
private String selectClassPrimaryKey = "select id from acl_class where class=?";
private String selectObjectIdentityPrimaryKey = "select acl_object_identity.id from acl_object_identity, acl_class "
+ "where acl_object_identity.object_id_class = acl_class.id and acl_class.class=? "
+ "and acl_object_identity.object_id_identity = ?";
private String selectSidPrimaryKey = "select id from acl_sid where principal=? and sid=?";
private String updateObjectIdentity = "update acl_object_identity set "
+ "parent_object = ?, owner_sid = ?, entries_inheriting = ?"
+ " where id = ?";
+ "parent_object = ?, owner_sid = ?, entries_inheriting = ?" + " where id = ?";
// ~ Constructors
// ===================================================================================================
public JdbcMutableAclService(DataSource dataSource, LookupStrategy lookupStrategy,
AclCache aclCache) {
public JdbcMutableAclService(DataSource dataSource, LookupStrategy lookupStrategy, AclCache aclCache) {
super(dataSource, lookupStrategy);
Assert.notNull(aclCache, "AclCache required");
this.aclCache = aclCache;
}
// ~ Methods
// ========================================================================================================
public MutableAcl createAcl(ObjectIdentity objectIdentity)
throws AlreadyExistsException {
@Override
public MutableAcl createAcl(ObjectIdentity objectIdentity) throws AlreadyExistsException {
Assert.notNull(objectIdentity, "Object Identity required");
// Check this object identity hasn't already been persisted
if (retrieveObjectIdentityPrimaryKey(objectIdentity) != null) {
throw new AlreadyExistsException("Object identity '" + objectIdentity
+ "' already exists");
throw new AlreadyExistsException("Object identity '" + objectIdentity + "' already exists");
}
// Need to retrieve the current principal, in order to know who "owns" this ACL
@ -128,22 +132,23 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
/**
* Creates a new row in acl_entry for every ACE defined in the passed MutableAcl
* object.
*
* @param acl containing the ACEs to insert
*/
protected void createEntries(final MutableAcl acl) {
if (acl.getEntries().isEmpty()) {
return;
}
jdbcOperations.batchUpdate(insertEntry, new BatchPreparedStatementSetter() {
this.jdbcOperations.batchUpdate(this.insertEntry, new BatchPreparedStatementSetter() {
@Override
public int getBatchSize() {
return acl.getEntries().size();
}
@Override
public void setValues(PreparedStatement stmt, int i) throws SQLException {
AccessControlEntry entry_ = acl.getEntries().get(i);
Assert.isTrue(entry_ instanceof AccessControlEntryImpl,
"Unknown ACE class");
Assert.isTrue(entry_ instanceof AccessControlEntryImpl, "Unknown ACE class");
AccessControlEntryImpl entry = (AccessControlEntryImpl) entry_;
stmt.setLong(1, (Long) acl.getId());
@ -154,6 +159,7 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
stmt.setBoolean(6, entry.isAuditSuccess());
stmt.setBoolean(7, entry.isAuditFailure());
}
});
}
@ -161,7 +167,6 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
* Creates an entry in the acl_object_identity table for the passed ObjectIdentity.
* The Sid is also necessary, as acl_object_identity has defined the sid column as
* non-null.
*
* @param object to represent an acl_object_identity for
* @param owner for the SID column (will be created if there is no acl_sid entry for
* this particular Sid already)
@ -169,22 +174,20 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
protected void createObjectIdentity(ObjectIdentity object, Sid owner) {
Long sidId = createOrRetrieveSidPrimaryKey(owner, true);
Long classId = createOrRetrieveClassPrimaryKey(object.getType(), true, object.getIdentifier().getClass());
jdbcOperations.update(insertObjectIdentity, classId, object.getIdentifier().toString(), sidId,
this.jdbcOperations.update(this.insertObjectIdentity, classId, object.getIdentifier().toString(), sidId,
Boolean.TRUE);
}
/**
* Retrieves the primary key from {@code acl_class}, creating a new row if needed and
* the {@code allowCreate} property is {@code true}.
*
* @param type to find or create an entry for (often the fully-qualified class name)
* @param allowCreate true if creation is permitted if not found
*
* @return the primary key or null if not found
*/
protected Long createOrRetrieveClassPrimaryKey(String type, boolean allowCreate, Class idType) {
List<Long> classIds = jdbcOperations.queryForList(selectClassPrimaryKey,
new Object[] { type }, Long.class);
List<Long> classIds = this.jdbcOperations.queryForList(this.selectClassPrimaryKey, new Object[] { type },
Long.class);
if (!classIds.isEmpty()) {
return classIds.get(0);
@ -192,13 +195,13 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
if (allowCreate) {
if (!isAclClassIdSupported()) {
jdbcOperations.update(insertClass, type);
} else {
jdbcOperations.update(insertClass, type, idType.getCanonicalName());
this.jdbcOperations.update(this.insertClass, type);
}
Assert.isTrue(TransactionSynchronizationManager.isSynchronizationActive(),
"Transaction must be running");
return jdbcOperations.queryForObject(classIdentityQuery, Long.class);
else {
this.jdbcOperations.update(this.insertClass, type, idType.getCanonicalName());
}
Assert.isTrue(TransactionSynchronizationManager.isSynchronizationActive(), "Transaction must be running");
return this.jdbcOperations.queryForObject(this.classIdentityQuery, Long.class);
}
return null;
@ -207,33 +210,23 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
/**
* Retrieves the primary key from acl_sid, creating a new row if needed and the
* allowCreate property is true.
*
* @param sid to find or create
* @param allowCreate true if creation is permitted if not found
*
* @return the primary key or null if not found
*
* @throws IllegalArgumentException if the <tt>Sid</tt> is not a recognized
* implementation.
*/
protected Long createOrRetrieveSidPrimaryKey(Sid sid, boolean allowCreate) {
Assert.notNull(sid, "Sid required");
String sidName;
boolean sidIsPrincipal = true;
if (sid instanceof PrincipalSid) {
sidName = ((PrincipalSid) sid).getPrincipal();
String sidName = ((PrincipalSid) sid).getPrincipal();
return createOrRetrieveSidPrimaryKey(sidName, true, allowCreate);
}
else if (sid instanceof GrantedAuthoritySid) {
sidName = ((GrantedAuthoritySid) sid).getGrantedAuthority();
sidIsPrincipal = false;
if (sid instanceof GrantedAuthoritySid) {
String sidName = ((GrantedAuthoritySid) sid).getGrantedAuthority();
return createOrRetrieveSidPrimaryKey(sidName, false, allowCreate);
}
else {
throw new IllegalArgumentException("Unsupported implementation of Sid");
}
return createOrRetrieveSidPrimaryKey(sidName, sidIsPrincipal, allowCreate);
throw new IllegalArgumentException("Unsupported implementation of Sid");
}
/**
@ -244,32 +237,24 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
* @param allowCreate true if creation is permitted if not found
* @return the primary key or null if not found
*/
protected Long createOrRetrieveSidPrimaryKey(String sidName, boolean sidIsPrincipal,
boolean allowCreate) {
List<Long> sidIds = jdbcOperations.queryForList(selectSidPrimaryKey, new Object[] {
sidIsPrincipal, sidName }, Long.class);
protected Long createOrRetrieveSidPrimaryKey(String sidName, boolean sidIsPrincipal, boolean allowCreate) {
List<Long> sidIds = this.jdbcOperations.queryForList(this.selectSidPrimaryKey,
new Object[] { sidIsPrincipal, sidName }, Long.class);
if (!sidIds.isEmpty()) {
return sidIds.get(0);
}
if (allowCreate) {
jdbcOperations.update(insertSid, sidIsPrincipal, sidName);
Assert.isTrue(TransactionSynchronizationManager.isSynchronizationActive(),
"Transaction must be running");
return jdbcOperations.queryForObject(sidIdentityQuery, Long.class);
this.jdbcOperations.update(this.insertSid, sidIsPrincipal, sidName);
Assert.isTrue(TransactionSynchronizationManager.isSynchronizationActive(), "Transaction must be running");
return this.jdbcOperations.queryForObject(this.sidIdentityQuery, Long.class);
}
return null;
}
public void deleteAcl(ObjectIdentity objectIdentity, boolean deleteChildren)
throws ChildrenExistException {
@Override
public void deleteAcl(ObjectIdentity objectIdentity, boolean deleteChildren) throws ChildrenExistException {
Assert.notNull(objectIdentity, "Object Identity required");
Assert.notNull(objectIdentity.getIdentifier(),
"Object Identity doesn't provide an identifier");
Assert.notNull(objectIdentity.getIdentifier(), "Object Identity doesn't provide an identifier");
if (deleteChildren) {
List<ObjectIdentity> children = findChildren(objectIdentity);
if (children != null) {
@ -279,14 +264,13 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
}
}
else {
if (!foreignKeysInDatabase) {
if (!this.foreignKeysInDatabase) {
// We need to perform a manual verification for what a FK would normally
// do
// We generally don't do this, in the interests of deadlock management
// do. We generally don't do this, in the interests of deadlock management
List<ObjectIdentity> children = findChildren(objectIdentity);
if (children != null) {
throw new ChildrenExistException("Cannot delete '" + objectIdentity
+ "' (has " + children.size() + " children)");
throw new ChildrenExistException(
"Cannot delete '" + objectIdentity + "' (has " + children.size() + " children)");
}
}
}
@ -300,17 +284,16 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
deleteObjectIdentity(oidPrimaryKey);
// Clear the cache
aclCache.evictFromCache(objectIdentity);
this.aclCache.evictFromCache(objectIdentity);
}
/**
* Deletes all ACEs defined in the acl_entry table belonging to the presented
* ObjectIdentity primary key.
*
* @param oidPrimaryKey the rows in acl_entry to delete
*/
protected void deleteEntries(Long oidPrimaryKey) {
jdbcOperations.update(deleteEntryByObjectIdentityForeignKey, oidPrimaryKey);
this.jdbcOperations.update(this.deleteEntryByObjectIdentityForeignKey, oidPrimaryKey);
}
/**
@ -319,27 +302,24 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
* <p>
* We do not delete any entries from acl_class, even if no classes are using that
* class any longer. This is a deadlock avoidance approach.
*
* @param oidPrimaryKey to delete the acl_object_identity
*/
protected void deleteObjectIdentity(Long oidPrimaryKey) {
// Delete the acl_object_identity row
jdbcOperations.update(deleteObjectIdentityByPrimaryKey, oidPrimaryKey);
this.jdbcOperations.update(this.deleteObjectIdentityByPrimaryKey, oidPrimaryKey);
}
/**
* Retrieves the primary key from the acl_object_identity table for the passed
* ObjectIdentity. Unlike some other methods in this implementation, this method will
* NOT create a row (use {@link #createObjectIdentity(ObjectIdentity, Sid)} instead).
*
* @param oid to find
*
* @return the object identity or null if not found
*/
protected Long retrieveObjectIdentityPrimaryKey(ObjectIdentity oid) {
try {
return jdbcOperations.queryForObject(selectObjectIdentityPrimaryKey, Long.class,
oid.getType(), oid.getIdentifier().toString());
return this.jdbcOperations.queryForObject(this.selectObjectIdentityPrimaryKey, Long.class, oid.getType(),
oid.getIdentifier().toString());
}
catch (DataAccessException notFound) {
return null;
@ -352,6 +332,7 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
* dirty state checking, or more likely use ORM capabilities for create, update and
* delete operations of {@link MutableAcl}.
*/
@Override
public MutableAcl updateAcl(MutableAcl acl) throws NotFoundException {
Assert.notNull(acl.getId(), "Object Identity doesn't provide an identifier");
@ -380,37 +361,28 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
clearCacheIncludingChildren(child);
}
}
aclCache.evictFromCache(objectIdentity);
this.aclCache.evictFromCache(objectIdentity);
}
/**
* Updates an existing acl_object_identity row, with new information presented in the
* passed MutableAcl object. Also will create an acl_sid entry if needed for the Sid
* that owns the MutableAcl.
*
* @param acl to modify (a row must already exist in acl_object_identity)
*
* @throws NotFoundException if the ACL could not be found to update.
*/
protected void updateObjectIdentity(MutableAcl acl) {
Long parentId = null;
if (acl.getParentAcl() != null) {
Assert.isInstanceOf(ObjectIdentityImpl.class, acl.getParentAcl()
.getObjectIdentity(),
Assert.isInstanceOf(ObjectIdentityImpl.class, acl.getParentAcl().getObjectIdentity(),
"Implementation only supports ObjectIdentityImpl");
ObjectIdentityImpl oii = (ObjectIdentityImpl) acl.getParentAcl()
.getObjectIdentity();
ObjectIdentityImpl oii = (ObjectIdentityImpl) acl.getParentAcl().getObjectIdentity();
parentId = retrieveObjectIdentityPrimaryKey(oii);
}
Assert.notNull(acl.getOwner(), "Owner is required in this implementation");
Long ownerSid = createOrRetrieveSidPrimaryKey(acl.getOwner(), true);
int count = jdbcOperations.update(updateObjectIdentity, parentId, ownerSid,
acl.isEntriesInheriting(), acl.getId());
int count = this.jdbcOperations.update(this.updateObjectIdentity, parentId, ownerSid, acl.isEntriesInheriting(),
acl.getId());
if (count != 1) {
throw new NotFoundException("Unable to locate ACL to update");
}
@ -419,7 +391,6 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
/**
* Sets the query that will be used to retrieve the identity of a newly created row in
* the <tt>acl_class</tt> table.
*
* @param classIdentityQuery the query, which should return the identifier. Defaults
* to <tt>call identity()</tt>
*/
@ -431,7 +402,6 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
/**
* Sets the query that will be used to retrieve the identity of a newly created row in
* the <tt>acl_sid</tt> table.
*
* @param sidIdentityQuery the query, which should return the identifier. Defaults to
* <tt>call identity()</tt>
*/
@ -440,13 +410,11 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
this.sidIdentityQuery = sidIdentityQuery;
}
public void setDeleteEntryByObjectIdentityForeignKeySql(
String deleteEntryByObjectIdentityForeignKey) {
public void setDeleteEntryByObjectIdentityForeignKeySql(String deleteEntryByObjectIdentityForeignKey) {
this.deleteEntryByObjectIdentityForeignKey = deleteEntryByObjectIdentityForeignKey;
}
public void setDeleteObjectIdentityByPrimaryKeySql(
String deleteObjectIdentityByPrimaryKey) {
public void setDeleteObjectIdentityByPrimaryKeySql(String deleteObjectIdentityByPrimaryKey) {
this.deleteObjectIdentityByPrimaryKey = deleteObjectIdentityByPrimaryKey;
}
@ -498,9 +466,11 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
// Change the default insert if it hasn't been overridden
if (this.insertClass.equals(DEFAULT_INSERT_INTO_ACL_CLASS)) {
this.insertClass = DEFAULT_INSERT_INTO_ACL_CLASS_WITH_ID;
} else {
}
else {
log.debug("Insert class statement has already been overridden, so not overridding the default");
}
}
}
}

12
acl/src/main/java/org/springframework/security/acls/jdbc/LookupStrategy.java
View File

@ -13,32 +13,29 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.jdbc;
import java.util.List;
import java.util.Map;
import org.springframework.security.acls.model.Acl;
import org.springframework.security.acls.model.NotFoundException;
import org.springframework.security.acls.model.ObjectIdentity;
import org.springframework.security.acls.model.Sid;
import java.util.List;
import java.util.Map;
/**
* Performs lookups for {@link org.springframework.security.acls.model.AclService}.
*
* @author Ben Alex
*/
public interface LookupStrategy {
// ~ Methods
// ========================================================================================================
/**
* Perform database-specific optimized lookup.
*
* @param objects the identities to lookup (required)
* @param sids the SIDs for which identities are required (may be <tt>null</tt> -
* implementations may elect not to provide SID optimisations)
*
* @return a <tt>Map</tt> where keys represent the {@link ObjectIdentity} of the
* located {@link Acl} and values are the located {@link Acl} (never <tt>null</tt>
* although some entries may be missing; this method should not throw
@ -46,4 +43,5 @@ public interface LookupStrategy {
* automatically create entries if required)
*/
Map<ObjectIdentity, Acl> readAclsById(List<ObjectIdentity> objects, List<Sid> sids);
}

2
acl/src/main/java/org/springframework/security/acls/jdbc/package-info.java
View File

@ -13,8 +13,8 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/**
* JDBC-based persistence of ACL information
*/
package org.springframework.security.acls.jdbc;

11
acl/src/main/java/org/springframework/security/acls/model/AccessControlEntry.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.model;
import java.io.Serializable;
@ -26,17 +27,13 @@ import java.io.Serializable;
* </p>
*
* @author Ben Alex
*
*/
public interface AccessControlEntry extends Serializable {
// ~ Methods
// ========================================================================================================
Acl getAcl();
/**
* Obtains an identifier that represents this ACE.
*
* @return the identifier, or <code>null</code> if unsaved
*/
Serializable getId();
@ -46,10 +43,10 @@ public interface AccessControlEntry extends Serializable {
Sid getSid();
/**
* Indicates the permission is being granted to the relevant Sid. If false,
* indicates the permission is being revoked/blocked.
*
* Indicates the permission is being granted to the relevant Sid. If false, indicates
* the permission is being revoked/blocked.
* @return true if being granted, false otherwise
*/
boolean isGranting();
}

16
acl/src/main/java/org/springframework/security/acls/model/Acl.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.model;
import java.io.Serializable;
@ -63,7 +64,6 @@ public interface Acl extends Serializable {
* subset of <tt>Sid</tt>s. The caller is responsible for correctly handling the
* result if only a subset of <tt>Sid</tt>s is represented.
* </p>
*
* @return the list of entries represented by the <tt>Acl</tt>, or <tt>null</tt> if
* there are no entries presently associated with this <tt>Acl</tt>.
*/
@ -72,7 +72,6 @@ public interface Acl extends Serializable {
/**
* Obtains the domain object this <tt>Acl</tt> provides entries for. This is immutable
* once an <tt>Acl</tt> is created.
*
* @return the object identity (never <tt>null</tt>)
*/
ObjectIdentity getObjectIdentity();
@ -80,7 +79,6 @@ public interface Acl extends Serializable {
/**
* Determines the owner of the <tt>Acl</tt>. The meaning of ownership varies by
* implementation and is unspecified.
*
* @return the owner (may be <tt>null</tt> if the implementation does not use
* ownership concepts)
*/
@ -102,7 +100,6 @@ public interface Acl extends Serializable {
* subset of <tt>Sid</tt>s. The caller is responsible for correctly handling the
* result if only a subset of <tt>Sid</tt>s is represented.
* </p>
*
* @return the parent <tt>Acl</tt> (may be <tt>null</tt> if this <tt>Acl</tt> does not
* have a parent)
*/
@ -118,7 +115,6 @@ public interface Acl extends Serializable {
* parent for navigation purposes. Thus, this method denotes whether or not the
* navigation relationship also extends to the actual inheritance of entries.
* </p>
*
* @return <tt>true</tt> if parent ACL entries inherit into the current <tt>Acl</tt>
*/
boolean isEntriesInheriting();
@ -158,7 +154,6 @@ public interface Acl extends Serializable {
* authorization decision for a {@link Sid} that was never loaded in this <tt>Acl</tt>
* .
* </p>
*
* @param permission the permission or permissions required (at least one entry
* required)
* @param sids the security identities held by the principal (at least one entry
@ -166,17 +161,15 @@ public interface Acl extends Serializable {
* @param administrativeMode if <tt>true</tt> denotes the query is for administrative
* purposes and no logging or auditing (if supported by the implementation) should be
* undertaken
*
* @return <tt>true</tt> if authorization is granted
*
* @throws NotFoundException MUST be thrown if an implementation cannot make an
* authoritative authorization decision, usually because there is no ACL information
* for this particular permission and/or SID
* @throws UnloadedSidException thrown if the <tt>Acl</tt> does not have details for
* one or more of the <tt>Sid</tt>s passed as arguments
*/
boolean isGranted(List<Permission> permission, List<Sid> sids,
boolean administrativeMode) throws NotFoundException, UnloadedSidException;
boolean isGranted(List<Permission> permission, List<Sid> sids, boolean administrativeMode)
throws NotFoundException, UnloadedSidException;
/**
* For efficiency reasons an <tt>Acl</tt> may be loaded and <em>not</em> contain
@ -191,12 +184,11 @@ public interface Acl extends Serializable {
* all <tt>Sid</tt>s. This method denotes whether or not the specified <tt>Sid</tt>s
* have been loaded or not.
* </p>
*
* @param sids one or more security identities the caller is interest in knowing
* whether this <tt>Sid</tt> supports
*
* @return <tt>true</tt> if every passed <tt>Sid</tt> is represented by this
* <tt>Acl</tt> instance
*/
boolean isSidLoaded(List<Sid> sids);
}

9
acl/src/main/java/org/springframework/security/acls/model/AclCache.java
View File

@ -13,21 +13,19 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.model;
import org.springframework.security.acls.jdbc.JdbcAclService;
import java.io.Serializable;
import org.springframework.security.acls.jdbc.JdbcAclService;
/**
* A caching layer for {@link JdbcAclService}.
*
* @author Ben Alex
*
*/
public interface AclCache {
// ~ Methods
// ========================================================================================================
void evictFromCache(Serializable pk);
@ -40,4 +38,5 @@ public interface AclCache {
void putInCache(MutableAcl acl);
void clearCache();
}

4
acl/src/main/java/org/springframework/security/acls/model/AclDataAccessException.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.model;
/**
@ -26,7 +27,6 @@ public abstract class AclDataAccessException extends RuntimeException {
/**
* Constructs an <code>AclDataAccessException</code> with the specified message and
* root cause.
*
* @param msg the detail message
* @param cause the root cause
*/
@ -37,10 +37,10 @@ public abstract class AclDataAccessException extends RuntimeException {
/**
* Constructs an <code>AclDataAccessException</code> with the specified message and no
* root cause.
*
* @param msg the detail message
*/
public AclDataAccessException(String msg) {
super(msg);
}
}

24
acl/src/main/java/org/springframework/security/acls/model/AclService.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.model;
import java.util.List;
@ -24,15 +25,11 @@ import java.util.Map;
* @author Ben Alex
*/
public interface AclService {
// ~ Methods
// ========================================================================================================
/**
* Locates all object identities that use the specified parent. This is useful for
* administration tools.
*
* @param parentIdentity to locate children of
*
* @return the children (or <tt>null</tt> if none were found)
*/
List<ObjectIdentity> findChildren(ObjectIdentity parentIdentity);
@ -44,12 +41,9 @@ public interface AclService {
* implementation's potential ability to filter <tt>Acl</tt> entries based on a
* {@link Sid} parameter.
* </p>
*
* @param object to locate an {@link Acl} for
*
* @return the {@link Acl} for the requested {@link ObjectIdentity} (never
* <tt>null</tt>)
*
* @throws NotFoundException if an {@link Acl} was not found for the requested
* {@link ObjectIdentity}
*/
@ -57,14 +51,11 @@ public interface AclService {
/**
* Same as {@link #readAclsById(List, List)} except it returns only a single Acl.
*
* @param object to locate an {@link Acl} for
* @param sids the security identities for which {@link Acl} information is required
* (may be <tt>null</tt> to denote all entries)
*
* @return the {@link Acl} for the requested {@link ObjectIdentity} (never
* <tt>null</tt>)
*
* @throws NotFoundException if an {@link Acl} was not found for the requested
* {@link ObjectIdentity}
*/
@ -76,17 +67,13 @@ public interface AclService {
* The returned map is keyed on the passed objects, with the values being the
* <tt>Acl</tt> instances. Any unknown objects will not have a map key.
* </p>
*
* @param objects the objects to find {@link Acl} information for
*
* @return a map with exactly one element for each {@link ObjectIdentity} passed as an
* argument (never <tt>null</tt>)
*
* @throws NotFoundException if an {@link Acl} was not found for each requested
* {@link ObjectIdentity}
*/
Map<ObjectIdentity, Acl> readAclsById(List<ObjectIdentity> objects)
throws NotFoundException;
Map<ObjectIdentity, Acl> readAclsById(List<ObjectIdentity> objects) throws NotFoundException;
/**
* Obtains all the <tt>Acl</tt>s that apply for the passed <tt>Object</tt>s, but only
@ -103,17 +90,14 @@ public interface AclService {
* <tt>Acl</tt> instances. Any unknown objects (or objects for which the interested
* <tt>Sid</tt>s do not have entries) will not have a map key.
* </p>
*
* @param objects the objects to find {@link Acl} information for
* @param sids the security identities for which {@link Acl} information is required
* (may be <tt>null</tt> to denote all entries)
*
* @return a map with exactly one element for each {@link ObjectIdentity} passed as an
* argument (never <tt>null</tt>)
*
* @throws NotFoundException if an {@link Acl} was not found for each requested
* {@link ObjectIdentity}
*/
Map<ObjectIdentity, Acl> readAclsById(List<ObjectIdentity> objects, List<Sid> sids)
throws NotFoundException;
Map<ObjectIdentity, Acl> readAclsById(List<ObjectIdentity> objects, List<Sid> sids) throws NotFoundException;
}

12
acl/src/main/java/org/springframework/security/acls/model/AlreadyExistsException.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.model;
/**
@ -21,12 +22,9 @@ package org.springframework.security.acls.model;
* @author Ben Alex
*/
public class AlreadyExistsException extends AclDataAccessException {
// ~ Constructors
// ===================================================================================================
/**
* Constructs an <code>AlreadyExistsException</code> with the specified message.
*
* @param msg the detail message
*/
public AlreadyExistsException(String msg) {
@ -36,11 +34,11 @@ public class AlreadyExistsException extends AclDataAccessException {
/**
* Constructs an <code>AlreadyExistsException</code> with the specified message and
* root cause.
*
* @param msg the detail message
* @param t root cause
* @param cause root cause
*/
public AlreadyExistsException(String msg, Throwable t) {
super(msg, t);
public AlreadyExistsException(String msg, Throwable cause) {
super(msg, cause);
}
}

5
acl/src/main/java/org/springframework/security/acls/model/AuditableAccessControlEntry.java
View File

@ -13,19 +13,18 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.model;
/**
* Represents an ACE that provides auditing information.
*
* @author Ben Alex
*
*/
public interface AuditableAccessControlEntry extends AccessControlEntry {
// ~ Methods
// ========================================================================================================
boolean isAuditFailure();
boolean isAuditSuccess();
}

5
acl/src/main/java/org/springframework/security/acls/model/AuditableAcl.java
View File

@ -13,17 +13,16 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.model;
/**
* A mutable ACL that provides audit capabilities.
*
* @author Ben Alex
*
*/
public interface AuditableAcl extends MutableAcl {
// ~ Methods
// ========================================================================================================
void updateAuditing(int aceIndex, boolean auditSuccess, boolean auditFailure);
}

12
acl/src/main/java/org/springframework/security/acls/model/ChildrenExistException.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.model;
/**
@ -21,12 +22,9 @@ package org.springframework.security.acls.model;
* @author Ben Alex
*/
public class ChildrenExistException extends AclDataAccessException {
// ~ Constructors
// ===================================================================================================
/**
* Constructs an <code>ChildrenExistException</code> with the specified message.
*
* @param msg the detail message
*/
public ChildrenExistException(String msg) {
@ -36,11 +34,11 @@ public class ChildrenExistException extends AclDataAccessException {
/**
* Constructs an <code>ChildrenExistException</code> with the specified message and
* root cause.
*
* @param msg the detail message
* @param t root cause
* @param cause root cause
*/
public ChildrenExistException(String msg, Throwable t) {
super(msg, t);
public ChildrenExistException(String msg, Throwable cause) {
super(msg, cause);
}
}

11
acl/src/main/java/org/springframework/security/acls/model/MutableAcl.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.model;
import java.io.Serializable;
@ -26,41 +27,35 @@ import java.io.Serializable;
* @author Ben Alex
*/
public interface MutableAcl extends Acl {
// ~ Methods
// ========================================================================================================
void deleteAce(int aceIndex) throws NotFoundException;
/**
* Obtains an identifier that represents this <tt>MutableAcl</tt>.
*
* @return the identifier, or <tt>null</tt> if unsaved
*/
Serializable getId();
void insertAce(int atIndexLocation, Permission permission, Sid sid, boolean granting)
throws NotFoundException;
void insertAce(int atIndexLocation, Permission permission, Sid sid, boolean granting) throws NotFoundException;
/**
* Changes the present owner to a different owner.
*
* @param newOwner the new owner (mandatory; cannot be null)
*/
void setOwner(Sid newOwner);
/**
* Change the value returned by {@link Acl#isEntriesInheriting()}.
*
* @param entriesInheriting the new value
*/
void setEntriesInheriting(boolean entriesInheriting);
/**
* Changes the parent of this ACL.
*
* @param newParent the new parent
*/
void setParent(Acl newParent);
void updateAce(int aceIndex, Permission permission) throws NotFoundException;
}

14
acl/src/main/java/org/springframework/security/acls/model/MutableAclService.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.model;
/**
@ -21,41 +22,32 @@ package org.springframework.security.acls.model;
* @author Ben Alex
*/
public interface MutableAclService extends AclService {
// ~ Methods
// ========================================================================================================
/**
* Creates an empty <code>Acl</code> object in the database. It will have no entries.
* The returned object will then be used to add entries.
*
* @param objectIdentity the object identity to create
*
* @return an ACL object with its ID set
*
* @throws AlreadyExistsException if the passed object identity already has a record
*/
MutableAcl createAcl(ObjectIdentity objectIdentity) throws AlreadyExistsException;
/**
* Removes the specified entry from the database.
*
* @param objectIdentity the object identity to remove
* @param deleteChildren whether to cascade the delete to children
*
* @throws ChildrenExistException if the deleteChildren argument was
* <code>false</code> but children exist
*/
void deleteAcl(ObjectIdentity objectIdentity, boolean deleteChildren)
throws ChildrenExistException;
void deleteAcl(ObjectIdentity objectIdentity, boolean deleteChildren) throws ChildrenExistException;
/**
* Changes an existing <code>Acl</code> in the database.
*
* @param acl to modify
*
* @throws NotFoundException if the relevant record could not be found (did you
* remember to use {@link #createAcl(ObjectIdentity)} to create the object, rather
* than creating it with the <code>new</code> keyword?)
*/
MutableAcl updateAcl(MutableAcl acl) throws NotFoundException;
}

12
acl/src/main/java/org/springframework/security/acls/model/NotFoundException.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.model;
/**
@ -21,12 +22,9 @@ package org.springframework.security.acls.model;
* @author Ben Alex
*/
public class NotFoundException extends AclDataAccessException {
// ~ Constructors
// ===================================================================================================
/**
* Constructs an <code>NotFoundException</code> with the specified message.
*
* @param msg the detail message
*/
public NotFoundException(String msg) {
@ -36,11 +34,11 @@ public class NotFoundException extends AclDataAccessException {
/**
* Constructs an <code>NotFoundException</code> with the specified message and root
* cause.
*
* @param msg the detail message
* @param t root cause
* @param cause root cause
*/
public NotFoundException(String msg, Throwable t) {
super(msg, t);
public NotFoundException(String msg, Throwable cause) {
super(msg, cause);
}
}

9
acl/src/main/java/org/springframework/security/acls/model/ObjectIdentity.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.model;
import java.io.Serializable;
@ -32,15 +33,13 @@ import java.io.Serializable;
* @author Ben Alex
*/
public interface ObjectIdentity extends Serializable {
// ~ Methods
// ========================================================================================================
/**
* @param obj to be compared
*
* @return <tt>true</tt> if the objects are equal, <tt>false</tt> otherwise
* @see Object#equals(Object)
*/
@Override
boolean equals(Object obj);
/**
@ -53,7 +52,6 @@ public interface ObjectIdentity extends Serializable {
* identifier with business meaning, as that business meaning may change in the future
* such change will cascade to the ACL subsystem data.
* </p>
*
* @return the identifier (unique within this <tt>type</tt>; never <tt>null</tt>)
*/
Serializable getIdentifier();
@ -62,7 +60,6 @@ public interface ObjectIdentity extends Serializable {
* Obtains the "type" metadata for the domain object. This will often be a Java type
* name (an interface or a class) &ndash; traditionally it is the name of the domain
* object implementation class.
*
* @return the "type" of the domain object (never <tt>null</tt>).
*/
String getType();
@ -71,5 +68,7 @@ public interface ObjectIdentity extends Serializable {
* @return a hash code representation of the <tt>ObjectIdentity</tt>
* @see Object#hashCode()
*/
@Override
int hashCode();
}

2
acl/src/main/java/org/springframework/security/acls/model/ObjectIdentityGenerator.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.model;
import java.io.Serializable;
@ -30,7 +31,6 @@ import java.io.Serializable;
public interface ObjectIdentityGenerator {
/**
*
* @param id the identifier of the domain object, not null
* @param type the type of the object (often a class name), not null
* @return the identity constructed using the supplied identifier and type

4
acl/src/main/java/org/springframework/security/acls/model/ObjectIdentityRetrievalStrategy.java
View File

@ -21,11 +21,9 @@ package org.springframework.security.acls.model;
* will be returned for a particular domain object
*
* @author Ben Alex
*
*/
public interface ObjectIdentityRetrievalStrategy {
// ~ Methods
// ========================================================================================================
ObjectIdentity getObjectIdentity(Object domainObject);
}

5
acl/src/main/java/org/springframework/security/acls/model/OwnershipAcl.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.model;
/**
@ -25,8 +26,8 @@ package org.springframework.security.acls.model;
* @author Ben Alex
*/
public interface OwnershipAcl extends MutableAcl {
// ~ Methods
// ========================================================================================================
@Override
void setOwner(Sid newOwner);
}

13
acl/src/main/java/org/springframework/security/acls/model/Permission.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.model;
import java.io.Serializable;
@ -23,19 +24,15 @@ import java.io.Serializable;
* @author Ben Alex
*/
public interface Permission extends Serializable {
// ~ Static fields/initializers
// =====================================================================================
char RESERVED_ON = '~';
char RESERVED_OFF = '.';
String THIRTY_TWO_RESERVED_OFF = "................................";
// ~ Methods
// ========================================================================================================
char RESERVED_OFF = '.';
String THIRTY_TWO_RESERVED_OFF = "................................";
/**
* Returns the bits that represents the permission.
*
* @return the bits that represent the permission
*/
int getMask();
@ -56,8 +53,8 @@ public interface Permission extends Serializable {
* This method is only used for user interface and logging purposes. It is not used in
* any permission calculations. Therefore, duplication of characters within the output
* is permitted.
*
* @return a 32-character bit pattern
*/
String getPattern();
}

8
acl/src/main/java/org/springframework/security/acls/model/PermissionGrantingStrategy.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.model;
import java.util.List;
@ -27,10 +28,9 @@ import java.util.List;
public interface PermissionGrantingStrategy {
/**
* Returns true if the supplied strategy decides that the supplied {@code Acl}
* grants access based on the supplied list of permissions and sids.
* Returns true if the supplied strategy decides that the supplied {@code Acl} grants
* access based on the supplied list of permissions and sids.
*/
boolean isGranted(Acl acl, List<Permission> permission, List<Sid> sids,
boolean administrativeMode);
boolean isGranted(Acl acl, List<Permission> permission, List<Sid> sids, boolean administrativeMode);
}

9
acl/src/main/java/org/springframework/security/acls/model/Sid.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.model;
import java.io.Serializable;
@ -31,24 +32,22 @@ import java.io.Serializable;
* @author Ben Alex
*/
public interface Sid extends Serializable {
// ~ Methods
// ========================================================================================================
/**
* Refer to the <code>java.lang.Object</code> documentation for the interface
* contract.
*
* @param obj to be compared
*
* @return <code>true</code> if the objects are equal, <code>false</code> otherwise
*/
@Override
boolean equals(Object obj);
/**
* Refer to the <code>java.lang.Object</code> documentation for the interface
* contract.
*
* @return a hash code representation of this object
*/
@Override
int hashCode();
}

3
acl/src/main/java/org/springframework/security/acls/model/SidRetrievalStrategy.java
View File

@ -27,8 +27,7 @@ import org.springframework.security.core.Authentication;
* @author Ben Alex
*/
public interface SidRetrievalStrategy {
// ~ Methods
// ========================================================================================================
List<Sid> getSids(Authentication authentication);
}

12
acl/src/main/java/org/springframework/security/acls/model/UnloadedSidException.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.model;
/**
@ -23,12 +24,9 @@ package org.springframework.security.acls.model;
* @author Ben Alex
*/
public class UnloadedSidException extends AclDataAccessException {
// ~ Constructors
// ===================================================================================================
/**
* Constructs an <code>NotFoundException</code> with the specified message.
*
* @param msg the detail message
*/
public UnloadedSidException(String msg) {
@ -38,11 +36,11 @@ public class UnloadedSidException extends AclDataAccessException {
/**
* Constructs an <code>NotFoundException</code> with the specified message and root
* cause.
*
* @param msg the detail message
* @param t root cause
* @param cause root cause
*/
public UnloadedSidException(String msg, Throwable t) {
super(msg, t);
public UnloadedSidException(String msg, Throwable cause) {
super(msg, cause);
}
}

5
acl/src/main/java/org/springframework/security/acls/model/package-info.java
View File

@ -13,8 +13,9 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/**
* Interfaces and shared classes to manage access control lists (ACLs) for domain object instances.
* Interfaces and shared classes to manage access control lists (ACLs) for domain object
* instances.
*/
package org.springframework.security.acls.model;

13
acl/src/main/java/org/springframework/security/acls/package-info.java
View File

@ -13,12 +13,15 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/**
* The Spring Security ACL package which implements instance-based security for domain objects.
* The Spring Security ACL package which implements instance-based security for domain
* objects.
* <p>
* Consider using the annotation based approach ({@code @PreAuthorize}, {@code @PostFilter} annotations) combined
* with a {@link org.springframework.security.acls.AclPermissionEvaluator} in preference to the older and more verbose
* attribute/voter/after-invocation approach from versions before Spring Security 3.0.
* Consider using the annotation based approach ({@code @PreAuthorize},
* {@code @PostFilter} annotations) combined with a
* {@link org.springframework.security.acls.AclPermissionEvaluator} in preference to the
* older and more verbose attribute/voter/after-invocation approach from versions before
* Spring Security 3.0.
*/
package org.springframework.security.acls;

55
acl/src/test/java/org/springframework/security/acls/AclFormattingUtilsTests.java
View File

@ -13,15 +13,17 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls;
import org.junit.Test;
import org.springframework.security.acls.domain.AclFormattingUtils;
import org.springframework.security.acls.model.Permission;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.fail;
import org.junit.Test;
import org.springframework.security.acls.domain.AclFormattingUtils;
import org.springframework.security.acls.model.Permission;
/**
* Tests for {@link AclFormattingUtils}.
*
@ -29,8 +31,6 @@ import org.springframework.security.acls.model.Permission;
*/
public class AclFormattingUtilsTests {
// ~ Methods
// ========================================================================================================
@Test
public final void testDemergePatternsParametersConstraints() {
try {
@ -39,21 +39,18 @@ public class AclFormattingUtilsTests {
}
catch (IllegalArgumentException expected) {
}
try {
AclFormattingUtils.demergePatterns("SOME STRING", null);
fail("It should have thrown IllegalArgumentException");
}
catch (IllegalArgumentException expected) {
}
try {
AclFormattingUtils.demergePatterns("SOME STRING", "LONGER SOME STRING");
fail("It should have thrown IllegalArgumentException");
}
catch (IllegalArgumentException expected) {
}
try {
AclFormattingUtils.demergePatterns("SOME STRING", "SAME LENGTH");
}
@ -66,13 +63,10 @@ public class AclFormattingUtilsTests {
public final void testDemergePatterns() {
String original = "...........................A...R";
String removeBits = "...............................R";
assertThat(AclFormattingUtils.demergePatterns(original, removeBits)).isEqualTo(
"...........................A....");
assertThat(AclFormattingUtils.demergePatterns("ABCDEF", "......")).isEqualTo(
"ABCDEF");
assertThat(AclFormattingUtils.demergePatterns("ABCDEF", "GHIJKL")).isEqualTo(
"......");
assertThat(AclFormattingUtils.demergePatterns(original, removeBits))
.isEqualTo("...........................A....");
assertThat(AclFormattingUtils.demergePatterns("ABCDEF", "......")).isEqualTo("ABCDEF");
assertThat(AclFormattingUtils.demergePatterns("ABCDEF", "GHIJKL")).isEqualTo("......");
}
@Test
@ -83,21 +77,18 @@ public class AclFormattingUtilsTests {
}
catch (IllegalArgumentException expected) {
}
try {
AclFormattingUtils.mergePatterns("SOME STRING", null);
fail("It should have thrown IllegalArgumentException");
}
catch (IllegalArgumentException expected) {
}
try {
AclFormattingUtils.mergePatterns("SOME STRING", "LONGER SOME STRING");
fail("It should have thrown IllegalArgumentException");
}
catch (IllegalArgumentException expected) {
}
try {
AclFormattingUtils.mergePatterns("SOME STRING", "SAME LENGTH");
}
@ -109,47 +100,37 @@ public class AclFormattingUtilsTests {
public final void testMergePatterns() {
String original = "...............................R";
String extraBits = "...........................A....";
assertThat(AclFormattingUtils.mergePatterns(original, extraBits)).isEqualTo(
"...........................A...R");
assertThat(AclFormattingUtils.mergePatterns("ABCDEF", "......")).isEqualTo(
"ABCDEF");
assertThat(AclFormattingUtils.mergePatterns("ABCDEF", "GHIJKL")).isEqualTo(
"GHIJKL");
assertThat(AclFormattingUtils.mergePatterns(original, extraBits)).isEqualTo("...........................A...R");
assertThat(AclFormattingUtils.mergePatterns("ABCDEF", "......")).isEqualTo("ABCDEF");
assertThat(AclFormattingUtils.mergePatterns("ABCDEF", "GHIJKL")).isEqualTo("GHIJKL");
}
@Test
public final void testBinaryPrints() {
assertThat(AclFormattingUtils.printBinary(15)).isEqualTo(
"............................****");
assertThat(AclFormattingUtils.printBinary(15)).isEqualTo("............................****");
try {
AclFormattingUtils.printBinary(15, Permission.RESERVED_ON);
fail("It should have thrown IllegalArgumentException");
}
catch (IllegalArgumentException notExpected) {
}
try {
AclFormattingUtils.printBinary(15, Permission.RESERVED_OFF);
fail("It should have thrown IllegalArgumentException");
}
catch (IllegalArgumentException notExpected) {
}
assertThat(AclFormattingUtils.printBinary(15, 'x')).isEqualTo(
"............................xxxx");
assertThat(AclFormattingUtils.printBinary(15, 'x')).isEqualTo("............................xxxx");
}
@Test
public void testPrintBinaryNegative() {
assertThat(AclFormattingUtils.printBinary(0x80000000)).isEqualTo(
"*...............................");
assertThat(AclFormattingUtils.printBinary(0x80000000)).isEqualTo("*...............................");
}
@Test
public void testPrintBinaryMinusOne() {
assertThat(AclFormattingUtils.printBinary(0xffffffff)).isEqualTo(
"********************************");
assertThat(AclFormattingUtils.printBinary(0xffffffff)).isEqualTo("********************************");
}
}

26
acl/src/test/java/org/springframework/security/acls/AclPermissionCacheOptimizerTests.java
View File

@ -13,11 +13,15 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls;
import static org.mockito.Mockito.*;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import org.junit.Test;
import org.springframework.security.acls.domain.ObjectIdentityImpl;
import org.springframework.security.acls.model.AclService;
import org.springframework.security.acls.model.ObjectIdentity;
@ -25,9 +29,12 @@ import org.springframework.security.acls.model.ObjectIdentityRetrievalStrategy;
import org.springframework.security.acls.model.SidRetrievalStrategy;
import org.springframework.security.core.Authentication;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.eq;
import static org.mockito.BDDMockito.given;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyZeroInteractions;
/**
* @author Luke Taylor
@ -44,13 +51,10 @@ public class AclPermissionCacheOptimizerTests {
pco.setObjectIdentityRetrievalStrategy(oidStrat);
pco.setSidRetrievalStrategy(sidStrat);
Object[] dos = { new Object(), null, new Object() };
ObjectIdentity[] oids = { new ObjectIdentityImpl("A", "1"),
new ObjectIdentityImpl("A", "2") };
when(oidStrat.getObjectIdentity(dos[0])).thenReturn(oids[0]);
when(oidStrat.getObjectIdentity(dos[2])).thenReturn(oids[1]);
ObjectIdentity[] oids = { new ObjectIdentityImpl("A", "1"), new ObjectIdentityImpl("A", "2") };
given(oidStrat.getObjectIdentity(dos[0])).willReturn(oids[0]);
given(oidStrat.getObjectIdentity(dos[2])).willReturn(oids[1]);
pco.cachePermissionsFor(mock(Authentication.class), Arrays.asList(dos));
// AclService should be invoked with the list of required Oids
verify(service).readAclsById(eq(Arrays.asList(oids)), any(List.class));
}
@ -63,9 +67,7 @@ public class AclPermissionCacheOptimizerTests {
SidRetrievalStrategy sids = mock(SidRetrievalStrategy.class);
pco.setObjectIdentityRetrievalStrategy(oids);
pco.setSidRetrievalStrategy(sids);
pco.cachePermissionsFor(mock(Authentication.class), Collections.emptyList());
verifyZeroInteractions(service, sids, oids);
}

33
acl/src/test/java/org/springframework/security/acls/AclPermissionEvaluatorTests.java
View File

@ -13,15 +13,13 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls;
import static org.assertj.core.api.Assertions.*;
import static org.mockito.Mockito.*;
import java.util.Locale;
import org.junit.Test;
import org.springframework.security.acls.model.Acl;
import org.springframework.security.acls.model.AclService;
import org.springframework.security.acls.model.ObjectIdentity;
@ -29,8 +27,14 @@ import org.springframework.security.acls.model.ObjectIdentityRetrievalStrategy;
import org.springframework.security.acls.model.SidRetrievalStrategy;
import org.springframework.security.core.Authentication;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.anyList;
import static org.mockito.ArgumentMatchers.eq;
import static org.mockito.BDDMockito.given;
import static org.mockito.Mockito.mock;
/**
*
* @author Luke Taylor
* @since 3.0
*/
@ -42,14 +46,12 @@ public class AclPermissionEvaluatorTests {
AclPermissionEvaluator pe = new AclPermissionEvaluator(service);
ObjectIdentity oid = mock(ObjectIdentity.class);
ObjectIdentityRetrievalStrategy oidStrategy = mock(ObjectIdentityRetrievalStrategy.class);
when(oidStrategy.getObjectIdentity(any(Object.class))).thenReturn(oid);
given(oidStrategy.getObjectIdentity(any(Object.class))).willReturn(oid);
pe.setObjectIdentityRetrievalStrategy(oidStrategy);
pe.setSidRetrievalStrategy(mock(SidRetrievalStrategy.class));
Acl acl = mock(Acl.class);
when(service.readAclById(any(ObjectIdentity.class), anyList())).thenReturn(acl);
when(acl.isGranted(anyList(), anyList(), eq(false))).thenReturn(true);
given(service.readAclById(any(ObjectIdentity.class), anyList())).willReturn(acl);
given(acl.isGranted(anyList(), anyList(), eq(false))).willReturn(true);
assertThat(pe.hasPermission(mock(Authentication.class), new Object(), "READ")).isTrue();
}
@ -57,21 +59,18 @@ public class AclPermissionEvaluatorTests {
public void resolvePermissionNonEnglishLocale() {
Locale systemLocale = Locale.getDefault();
Locale.setDefault(new Locale("tr"));
AclService service = mock(AclService.class);
AclPermissionEvaluator pe = new AclPermissionEvaluator(service);
ObjectIdentity oid = mock(ObjectIdentity.class);
ObjectIdentityRetrievalStrategy oidStrategy = mock(ObjectIdentityRetrievalStrategy.class);
when(oidStrategy.getObjectIdentity(any(Object.class))).thenReturn(oid);
given(oidStrategy.getObjectIdentity(any(Object.class))).willReturn(oid);
pe.setObjectIdentityRetrievalStrategy(oidStrategy);
pe.setSidRetrievalStrategy(mock(SidRetrievalStrategy.class));
Acl acl = mock(Acl.class);
when(service.readAclById(any(ObjectIdentity.class), anyList())).thenReturn(acl);
when(acl.isGranted(anyList(), anyList(), eq(false))).thenReturn(true);
given(service.readAclById(any(ObjectIdentity.class), anyList())).willReturn(acl);
given(acl.isGranted(anyList(), anyList(), eq(false))).willReturn(true);
assertThat(pe.hasPermission(mock(Authentication.class), new Object(), "write")).isTrue();
Locale.setDefault(systemLocale);
}
}

1
acl/src/test/java/org/springframework/security/acls/TargetObject.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls;
/**

4
acl/src/test/java/org/springframework/security/acls/TargetObjectWithUUID.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls;
import java.util.UUID;
@ -27,10 +28,11 @@ public final class TargetObjectWithUUID {
private UUID id;
public UUID getId() {
return id;
return this.id;
}
public void setId(UUID id) {
this.id = id;
}
}

55
acl/src/test/java/org/springframework/security/acls/afterinvocation/AclEntryAfterInvocationCollectionFilteringProviderTests.java
View File

@ -13,46 +13,54 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.afterinvocation;
import static org.assertj.core.api.Assertions.*;
import static org.mockito.Mockito.*;
import org.junit.Test;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityConfig;
import org.springframework.security.acls.model.*;
import org.springframework.security.core.Authentication;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import org.junit.Test;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityConfig;
import org.springframework.security.acls.model.Acl;
import org.springframework.security.acls.model.AclService;
import org.springframework.security.acls.model.ObjectIdentity;
import org.springframework.security.acls.model.ObjectIdentityRetrievalStrategy;
import org.springframework.security.acls.model.Permission;
import org.springframework.security.acls.model.SidRetrievalStrategy;
import org.springframework.security.core.Authentication;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.anyBoolean;
import static org.mockito.BDDMockito.given;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.never;
import static org.mockito.Mockito.verify;
/**
* @author Luke Taylor
*/
@SuppressWarnings({ "unchecked" })
public class AclEntryAfterInvocationCollectionFilteringProviderTests {
@Test
public void objectsAreRemovedIfPermissionDenied() {
AclService service = mock(AclService.class);
Acl acl = mock(Acl.class);
when(acl.isGranted(any(), any(), anyBoolean())).thenReturn(
false);
when(service.readAclById(any(), any())).thenReturn(
acl);
given(acl.isGranted(any(), any(), anyBoolean())).willReturn(false);
given(service.readAclById(any(), any())).willReturn(acl);
AclEntryAfterInvocationCollectionFilteringProvider provider = new AclEntryAfterInvocationCollectionFilteringProvider(
service, Arrays.asList(mock(Permission.class)));
provider.setObjectIdentityRetrievalStrategy(mock(ObjectIdentityRetrievalStrategy.class));
provider.setProcessDomainObjectClass(Object.class);
provider.setSidRetrievalStrategy(mock(SidRetrievalStrategy.class));
Object returned = provider.decide(mock(Authentication.class), new Object(),
SecurityConfig.createList("AFTER_ACL_COLLECTION_READ"), new ArrayList(
Arrays.asList(new Object(), new Object())));
SecurityConfig.createList("AFTER_ACL_COLLECTION_READ"),
new ArrayList(Arrays.asList(new Object(), new Object())));
assertThat(returned).isInstanceOf(List.class);
assertThat(((List) returned)).isEmpty();
returned = provider.decide(mock(Authentication.class), new Object(),
@ -67,11 +75,8 @@ public class AclEntryAfterInvocationCollectionFilteringProviderTests {
AclEntryAfterInvocationCollectionFilteringProvider provider = new AclEntryAfterInvocationCollectionFilteringProvider(
mock(AclService.class), Arrays.asList(mock(Permission.class)));
Object returned = new Object();
assertThat(returned)
.isSameAs(
provider.decide(mock(Authentication.class), new Object(),
Collections.<ConfigAttribute> emptyList(), returned));
assertThat(returned).isSameAs(provider.decide(mock(Authentication.class), new Object(),
Collections.<ConfigAttribute>emptyList(), returned));
}
@Test
@ -79,10 +84,8 @@ public class AclEntryAfterInvocationCollectionFilteringProviderTests {
AclService service = mock(AclService.class);
AclEntryAfterInvocationCollectionFilteringProvider provider = new AclEntryAfterInvocationCollectionFilteringProvider(
service, Arrays.asList(mock(Permission.class)));
assertThat(provider.decide(mock(Authentication.class), new Object(),
SecurityConfig.createList("AFTER_ACL_COLLECTION_READ"), null))
.isNull();
SecurityConfig.createList("AFTER_ACL_COLLECTION_READ"), null)).isNull();
verify(service, never()).readAclById(any(ObjectIdentity.class), any(List.class));
}

106
acl/src/test/java/org/springframework/security/acls/afterinvocation/AclEntryAfterInvocationProviderTests.java
View File

@ -13,23 +13,37 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.afterinvocation;
import static org.assertj.core.api.Assertions.*;
import static org.mockito.Mockito.*;
import org.junit.Test;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityConfig;
import org.springframework.security.acls.model.*;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.SpringSecurityMessageSource;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import org.junit.Test;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityConfig;
import org.springframework.security.acls.model.Acl;
import org.springframework.security.acls.model.AclService;
import org.springframework.security.acls.model.NotFoundException;
import org.springframework.security.acls.model.ObjectIdentity;
import org.springframework.security.acls.model.ObjectIdentityRetrievalStrategy;
import org.springframework.security.acls.model.Permission;
import org.springframework.security.acls.model.SidRetrievalStrategy;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.SpringSecurityMessageSource;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.fail;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.anyBoolean;
import static org.mockito.BDDMockito.given;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.never;
import static org.mockito.Mockito.verify;
/**
* @author Luke Taylor
*/
@ -44,74 +58,56 @@ public class AclEntryAfterInvocationProviderTests {
}
catch (IllegalArgumentException expected) {
}
new AclEntryAfterInvocationProvider(mock(AclService.class),
Collections.<Permission> emptyList());
new AclEntryAfterInvocationProvider(mock(AclService.class), Collections.<Permission>emptyList());
}
@Test
public void accessIsAllowedIfPermissionIsGranted() {
AclService service = mock(AclService.class);
Acl acl = mock(Acl.class);
when(acl.isGranted(any(List.class), any(List.class), anyBoolean())).thenReturn(
true);
when(service.readAclById(any(), any())).thenReturn(
acl);
AclEntryAfterInvocationProvider provider = new AclEntryAfterInvocationProvider(
service, Arrays.asList(mock(Permission.class)));
given(acl.isGranted(any(List.class), any(List.class), anyBoolean())).willReturn(true);
given(service.readAclById(any(), any())).willReturn(acl);
AclEntryAfterInvocationProvider provider = new AclEntryAfterInvocationProvider(service,
Arrays.asList(mock(Permission.class)));
provider.setMessageSource(new SpringSecurityMessageSource());
provider.setObjectIdentityRetrievalStrategy(mock(ObjectIdentityRetrievalStrategy.class));
provider.setProcessDomainObjectClass(Object.class);
provider.setSidRetrievalStrategy(mock(SidRetrievalStrategy.class));
Object returned = new Object();
assertThat(
returned)
.isSameAs(
provider.decide(mock(Authentication.class), new Object(),
SecurityConfig.createList("AFTER_ACL_READ"), returned));
assertThat(returned).isSameAs(provider.decide(mock(Authentication.class), new Object(),
SecurityConfig.createList("AFTER_ACL_READ"), returned));
}
@Test
public void accessIsGrantedIfNoAttributesDefined() {
AclEntryAfterInvocationProvider provider = new AclEntryAfterInvocationProvider(
mock(AclService.class), Arrays.asList(mock(Permission.class)));
AclEntryAfterInvocationProvider provider = new AclEntryAfterInvocationProvider(mock(AclService.class),
Arrays.asList(mock(Permission.class)));
Object returned = new Object();
assertThat(
returned)
.isSameAs(
provider.decide(mock(Authentication.class), new Object(),
Collections.<ConfigAttribute> emptyList(), returned));
assertThat(returned).isSameAs(provider.decide(mock(Authentication.class), new Object(),
Collections.<ConfigAttribute>emptyList(), returned));
}
@Test
public void accessIsGrantedIfObjectTypeNotSupported() {
AclEntryAfterInvocationProvider provider = new AclEntryAfterInvocationProvider(
mock(AclService.class), Arrays.asList(mock(Permission.class)));
AclEntryAfterInvocationProvider provider = new AclEntryAfterInvocationProvider(mock(AclService.class),
Arrays.asList(mock(Permission.class)));
provider.setProcessDomainObjectClass(String.class);
// Not a String
Object returned = new Object();
assertThat(
returned)
.isSameAs(
provider.decide(mock(Authentication.class), new Object(),
SecurityConfig.createList("AFTER_ACL_READ"), returned));
assertThat(returned).isSameAs(provider.decide(mock(Authentication.class), new Object(),
SecurityConfig.createList("AFTER_ACL_READ"), returned));
}
@Test(expected = AccessDeniedException.class)
public void accessIsDeniedIfPermissionIsNotGranted() {
AclService service = mock(AclService.class);
Acl acl = mock(Acl.class);
when(acl.isGranted(any(List.class), any(List.class), anyBoolean())).thenReturn(
false);
given(acl.isGranted(any(List.class), any(List.class), anyBoolean())).willReturn(false);
// Try a second time with no permissions found
when(acl.isGranted(any(), any(List.class), anyBoolean())).thenThrow(
new NotFoundException(""));
when(service.readAclById(any(), any())).thenReturn(
acl);
AclEntryAfterInvocationProvider provider = new AclEntryAfterInvocationProvider(
service, Arrays.asList(mock(Permission.class)));
given(acl.isGranted(any(), any(List.class), anyBoolean())).willThrow(new NotFoundException(""));
given(service.readAclById(any(), any())).willReturn(acl);
AclEntryAfterInvocationProvider provider = new AclEntryAfterInvocationProvider(service,
Arrays.asList(mock(Permission.class)));
provider.setProcessConfigAttribute("MY_ATTRIBUTE");
provider.setMessageSource(new SpringSecurityMessageSource());
provider.setObjectIdentityRetrievalStrategy(mock(ObjectIdentityRetrievalStrategy.class));
@ -119,8 +115,7 @@ public class AclEntryAfterInvocationProviderTests {
provider.setSidRetrievalStrategy(mock(SidRetrievalStrategy.class));
try {
provider.decide(mock(Authentication.class), new Object(),
SecurityConfig.createList("UNSUPPORTED", "MY_ATTRIBUTE"),
new Object());
SecurityConfig.createList("UNSUPPORTED", "MY_ATTRIBUTE"), new Object());
fail("Expected Exception");
}
catch (AccessDeniedException expected) {
@ -133,12 +128,11 @@ public class AclEntryAfterInvocationProviderTests {
@Test
public void nullReturnObjectIsIgnored() {
AclService service = mock(AclService.class);
AclEntryAfterInvocationProvider provider = new AclEntryAfterInvocationProvider(
service, Arrays.asList(mock(Permission.class)));
AclEntryAfterInvocationProvider provider = new AclEntryAfterInvocationProvider(service,
Arrays.asList(mock(Permission.class)));
assertThat(provider.decide(mock(Authentication.class), new Object(),
SecurityConfig.createList("AFTER_ACL_COLLECTION_READ"), null))
.isNull();
SecurityConfig.createList("AFTER_ACL_COLLECTION_READ"), null)).isNull();
verify(service, never()).readAclById(any(ObjectIdentity.class), any(List.class));
}
}

68
acl/src/test/java/org/springframework/security/acls/domain/AccessControlImplEntryTests.java
View File

@ -13,18 +13,22 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.domain;
import static org.assertj.core.api.Assertions.*;
import static org.mockito.Mockito.*;
import org.junit.Test;
import org.springframework.security.acls.model.AccessControlEntry;
import org.springframework.security.acls.model.Acl;
import org.springframework.security.acls.model.AuditableAccessControlEntry;
import org.springframework.security.acls.model.ObjectIdentity;
import org.springframework.security.acls.model.Sid;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.fail;
import static org.mockito.BDDMockito.given;
import static org.mockito.Mockito.mock;
/**
* Tests for {@link AccessControlEntryImpl}.
*
@ -32,33 +36,26 @@ import org.springframework.security.acls.model.Sid;
*/
public class AccessControlImplEntryTests {
// ~ Methods
// ========================================================================================================
@Test
public void testConstructorRequiredFields() {
// Check Acl field is present
try {
new AccessControlEntryImpl(null, null, new PrincipalSid("johndoe"),
BasePermission.ADMINISTRATION, true, true, true);
new AccessControlEntryImpl(null, null, new PrincipalSid("johndoe"), BasePermission.ADMINISTRATION, true,
true, true);
fail("It should have thrown IllegalArgumentException");
}
catch (IllegalArgumentException expected) {
}
// Check Sid field is present
try {
new AccessControlEntryImpl(null, mock(Acl.class), null,
BasePermission.ADMINISTRATION, true, true, true);
new AccessControlEntryImpl(null, mock(Acl.class), null, BasePermission.ADMINISTRATION, true, true, true);
fail("It should have thrown IllegalArgumentException");
}
catch (IllegalArgumentException expected) {
}
// Check Permission field is present
try {
new AccessControlEntryImpl(null, mock(Acl.class),
new PrincipalSid("johndoe"), null, true, true, true);
new AccessControlEntryImpl(null, mock(Acl.class), new PrincipalSid("johndoe"), null, true, true, true);
fail("It should have thrown IllegalArgumentException");
}
catch (IllegalArgumentException expected) {
@ -69,11 +66,9 @@ public class AccessControlImplEntryTests {
public void testAccessControlEntryImplGetters() {
Acl mockAcl = mock(Acl.class);
Sid sid = new PrincipalSid("johndoe");
// Create a sample entry
AccessControlEntry ace = new AccessControlEntryImpl(1L, mockAcl,
sid, BasePermission.ADMINISTRATION, true, true, true);
AccessControlEntry ace = new AccessControlEntryImpl(1L, mockAcl, sid, BasePermission.ADMINISTRATION, true, true,
true);
// and check every get() method
assertThat(ace.getId()).isEqualTo(1L);
assertThat(ace.getAcl()).isEqualTo(mockAcl);
@ -88,30 +83,27 @@ public class AccessControlImplEntryTests {
public void testEquals() {
final Acl mockAcl = mock(Acl.class);
final ObjectIdentity oid = mock(ObjectIdentity.class);
when(mockAcl.getObjectIdentity()).thenReturn(oid);
given(mockAcl.getObjectIdentity()).willReturn(oid);
Sid sid = new PrincipalSid("johndoe");
AccessControlEntry ace = new AccessControlEntryImpl(1L, mockAcl,
sid, BasePermission.ADMINISTRATION, true, true, true);
AccessControlEntry ace = new AccessControlEntryImpl(1L, mockAcl, sid, BasePermission.ADMINISTRATION, true, true,
true);
assertThat(ace).isNotNull();
assertThat(ace).isNotEqualTo(100L);
assertThat(ace).isEqualTo(ace);
assertThat(ace).isEqualTo(new AccessControlEntryImpl(1L, mockAcl, sid,
assertThat(ace).isEqualTo(
new AccessControlEntryImpl(1L, mockAcl, sid, BasePermission.ADMINISTRATION, true, true, true));
assertThat(ace).isNotEqualTo(
new AccessControlEntryImpl(2L, mockAcl, sid, BasePermission.ADMINISTRATION, true, true, true));
assertThat(ace).isNotEqualTo(new AccessControlEntryImpl(1L, mockAcl, new PrincipalSid("scott"),
BasePermission.ADMINISTRATION, true, true, true));
assertThat(ace).isNotEqualTo(new AccessControlEntryImpl(2L, mockAcl, sid,
BasePermission.ADMINISTRATION, true, true, true));
assertThat(ace).isNotEqualTo(new AccessControlEntryImpl(1L, mockAcl,
new PrincipalSid("scott"), BasePermission.ADMINISTRATION, true, true,
true));
assertThat(ace).isNotEqualTo(new AccessControlEntryImpl(1L, mockAcl, sid,
BasePermission.WRITE, true, true, true));
assertThat(ace).isNotEqualTo(new AccessControlEntryImpl(1L, mockAcl, sid,
BasePermission.ADMINISTRATION, false, true, true));
assertThat(ace).isNotEqualTo(new AccessControlEntryImpl(1L, mockAcl, sid,
BasePermission.ADMINISTRATION, true, false, true));
assertThat(ace).isNotEqualTo(new AccessControlEntryImpl(1L, mockAcl, sid,
BasePermission.ADMINISTRATION, true, true, false));
assertThat(ace)
.isNotEqualTo(new AccessControlEntryImpl(1L, mockAcl, sid, BasePermission.WRITE, true, true, true));
assertThat(ace).isNotEqualTo(
new AccessControlEntryImpl(1L, mockAcl, sid, BasePermission.ADMINISTRATION, false, true, true));
assertThat(ace).isNotEqualTo(
new AccessControlEntryImpl(1L, mockAcl, sid, BasePermission.ADMINISTRATION, true, false, true));
assertThat(ace).isNotEqualTo(
new AccessControlEntryImpl(1L, mockAcl, sid, BasePermission.ADMINISTRATION, true, true, false));
}
}

21
acl/src/test/java/org/springframework/security/acls/domain/AclAuthorizationStrategyImplTests.java
View File

@ -13,8 +13,8 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.domain;
package org.springframework.security.acls.domain;
import java.util.Arrays;
@ -24,6 +24,7 @@ import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.junit.MockitoJUnitRunner;
import org.springframework.security.acls.model.Acl;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.core.GrantedAuthority;
@ -31,21 +32,24 @@ import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
/**
*
* @author Rob Winch
*
*/
@RunWith(MockitoJUnitRunner.class)
public class AclAuthorizationStrategyImplTests {
@Mock
Acl acl;
GrantedAuthority authority;
AclAuthorizationStrategyImpl strategy;
@Before
public void setup() {
authority = new SimpleGrantedAuthority("ROLE_AUTH");
TestingAuthenticationToken authentication = new TestingAuthenticationToken("foo", "bar", Arrays.asList(authority));
this.authority = new SimpleGrantedAuthority("ROLE_AUTH");
TestingAuthenticationToken authentication = new TestingAuthenticationToken("foo", "bar",
Arrays.asList(this.authority));
authentication.setAuthenticated(true);
SecurityContextHolder.getContext().setAuthentication(authentication);
}
@ -58,15 +62,18 @@ public class AclAuthorizationStrategyImplTests {
// gh-4085
@Test
public void securityCheckWhenCustomAuthorityThenNameIsUsed() {
strategy = new AclAuthorizationStrategyImpl(new CustomAuthority());
strategy.securityCheck(acl, AclAuthorizationStrategy.CHANGE_GENERAL);
this.strategy = new AclAuthorizationStrategyImpl(new CustomAuthority());
this.strategy.securityCheck(this.acl, AclAuthorizationStrategy.CHANGE_GENERAL);
}
@SuppressWarnings("serial")
class CustomAuthority implements GrantedAuthority {
@Override
public String getAuthority() {
return authority.getAuthority();
return AclAuthorizationStrategyImplTests.this.authority.getAuthority();
}
}
}

432
acl/src/test/java/org/springframework/security/acls/domain/AclImplTests.java
View File

@ -13,21 +13,41 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.domain;
import static org.assertj.core.api.Assertions.*;
import static org.mockito.Mockito.*;
import java.lang.reflect.Field;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import org.junit.*;
import org.springframework.security.acls.model.*;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.springframework.security.acls.model.AccessControlEntry;
import org.springframework.security.acls.model.Acl;
import org.springframework.security.acls.model.AlreadyExistsException;
import org.springframework.security.acls.model.AuditableAccessControlEntry;
import org.springframework.security.acls.model.AuditableAcl;
import org.springframework.security.acls.model.ChildrenExistException;
import org.springframework.security.acls.model.MutableAcl;
import org.springframework.security.acls.model.MutableAclService;
import org.springframework.security.acls.model.NotFoundException;
import org.springframework.security.acls.model.ObjectIdentity;
import org.springframework.security.acls.model.Permission;
import org.springframework.security.acls.model.PermissionGrantingStrategy;
import org.springframework.security.acls.model.Sid;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.util.FieldUtils;
import java.lang.reflect.Field;
import java.util.*;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.fail;
import static org.mockito.Mockito.mock;
/**
* Tests for {@link AclImpl}.
@ -35,33 +55,41 @@ import java.util.*;
* @author Andrei Stefan
*/
public class AclImplTests {
private static final String TARGET_CLASS = "org.springframework.security.acls.TargetObject";
private static final List<Permission> READ = Arrays.asList(BasePermission.READ);
private static final List<Permission> WRITE = Arrays.asList(BasePermission.WRITE);
private static final List<Permission> CREATE = Arrays.asList(BasePermission.CREATE);
private static final List<Permission> DELETE = Arrays.asList(BasePermission.DELETE);
private static final List<Sid> SCOTT = Arrays.asList((Sid) new PrincipalSid("scott"));
private static final List<Sid> BEN = Arrays.asList((Sid) new PrincipalSid("ben"));
Authentication auth = new TestingAuthenticationToken("joe", "ignored",
"ROLE_ADMINISTRATOR");
AclAuthorizationStrategy authzStrategy;
PermissionGrantingStrategy pgs;
AuditLogger mockAuditLogger;
ObjectIdentity objectIdentity = new ObjectIdentityImpl(TARGET_CLASS, 100);
private DefaultPermissionFactory permissionFactory;
Authentication auth = new TestingAuthenticationToken("joe", "ignored", "ROLE_ADMINISTRATOR");
// ~ Methods
// ========================================================================================================
AclAuthorizationStrategy authzStrategy;
PermissionGrantingStrategy pgs;
AuditLogger mockAuditLogger;
ObjectIdentity objectIdentity = new ObjectIdentityImpl(TARGET_CLASS, 100);
private DefaultPermissionFactory permissionFactory;
@Before
public void setUp() {
SecurityContextHolder.getContext().setAuthentication(auth);
authzStrategy = mock(AclAuthorizationStrategy.class);
mockAuditLogger = mock(AuditLogger.class);
pgs = new DefaultPermissionGrantingStrategy(mockAuditLogger);
auth.setAuthenticated(true);
permissionFactory = new DefaultPermissionFactory();
SecurityContextHolder.getContext().setAuthentication(this.auth);
this.authzStrategy = mock(AclAuthorizationStrategy.class);
this.mockAuditLogger = mock(AuditLogger.class);
this.pgs = new DefaultPermissionGrantingStrategy(this.mockAuditLogger);
this.auth.setAuthenticated(true);
this.permissionFactory = new DefaultPermissionFactory();
}
@After
@ -72,44 +100,43 @@ public class AclImplTests {
@Test(expected = IllegalArgumentException.class)
public void constructorsRejectNullObjectIdentity() {
try {
new AclImpl(null, 1, authzStrategy, pgs, null, null, true, new PrincipalSid(
"joe"));
new AclImpl(null, 1, this.authzStrategy, this.pgs, null, null, true, new PrincipalSid("joe"));
fail("Should have thrown IllegalArgumentException");
}
catch (IllegalArgumentException expected) {
}
new AclImpl(null, 1, authzStrategy, mockAuditLogger);
new AclImpl(null, 1, this.authzStrategy, this.mockAuditLogger);
}
@Test(expected = IllegalArgumentException.class)
public void constructorsRejectNullId() {
try {
new AclImpl(objectIdentity, null, authzStrategy, pgs, null, null, true,
new AclImpl(this.objectIdentity, null, this.authzStrategy, this.pgs, null, null, true,
new PrincipalSid("joe"));
fail("Should have thrown IllegalArgumentException");
}
catch (IllegalArgumentException expected) {
}
new AclImpl(objectIdentity, null, authzStrategy, mockAuditLogger);
new AclImpl(this.objectIdentity, null, this.authzStrategy, this.mockAuditLogger);
}
@SuppressWarnings("deprecation")
@Test(expected = IllegalArgumentException.class)
public void constructorsRejectNullAclAuthzStrategy() {
try {
new AclImpl(objectIdentity, 1, null, new DefaultPermissionGrantingStrategy(
mockAuditLogger), null, null, true, new PrincipalSid("joe"));
new AclImpl(this.objectIdentity, 1, null, new DefaultPermissionGrantingStrategy(this.mockAuditLogger), null,
null, true, new PrincipalSid("joe"));
fail("It should have thrown IllegalArgumentException");
}
catch (IllegalArgumentException expected) {
}
new AclImpl(objectIdentity, 1, null, mockAuditLogger);
new AclImpl(this.objectIdentity, 1, null, this.mockAuditLogger);
}
@Test
public void insertAceRejectsNullParameters() {
MutableAcl acl = new AclImpl(objectIdentity, 1, authzStrategy, pgs, null, null,
true, new PrincipalSid("joe"));
MutableAcl acl = new AclImpl(this.objectIdentity, 1, this.authzStrategy, this.pgs, null, null, true,
new PrincipalSid("joe"));
try {
acl.insertAce(0, null, new GrantedAuthoritySid("ROLE_IGNORED"), true);
fail("It should have thrown IllegalArgumentException");
@ -126,10 +153,9 @@ public class AclImplTests {
@Test
public void insertAceAddsElementAtCorrectIndex() {
MutableAcl acl = new AclImpl(objectIdentity, 1, authzStrategy, pgs, null, null,
true, new PrincipalSid("joe"));
MutableAcl acl = new AclImpl(this.objectIdentity, 1, this.authzStrategy, this.pgs, null, null, true,
new PrincipalSid("joe"));
MockAclService service = new MockAclService();
// Insert one permission
acl.insertAce(0, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST1"), true);
service.updateAcl(acl);
@ -137,9 +163,7 @@ public class AclImplTests {
assertThat(acl.getEntries()).hasSize(1);
assertThat(acl).isEqualTo(acl.getEntries().get(0).getAcl());
assertThat(BasePermission.READ).isEqualTo(acl.getEntries().get(0).getPermission());
assertThat(acl.getEntries().get(0).getSid()).isEqualTo(new GrantedAuthoritySid(
"ROLE_TEST1"));
assertThat(acl.getEntries().get(0).getSid()).isEqualTo(new GrantedAuthoritySid("ROLE_TEST1"));
// Add a second permission
acl.insertAce(1, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST2"), true);
service.updateAcl(acl);
@ -147,71 +171,54 @@ public class AclImplTests {
assertThat(acl.getEntries()).hasSize(2);
assertThat(acl).isEqualTo(acl.getEntries().get(1).getAcl());
assertThat(BasePermission.READ).isEqualTo(acl.getEntries().get(1).getPermission());
assertThat(acl.getEntries().get(1).getSid()).isEqualTo(new GrantedAuthoritySid(
"ROLE_TEST2"));
assertThat(acl.getEntries().get(1).getSid()).isEqualTo(new GrantedAuthoritySid("ROLE_TEST2"));
// Add a third permission, after the first one
acl.insertAce(1, BasePermission.WRITE, new GrantedAuthoritySid("ROLE_TEST3"),
false);
acl.insertAce(1, BasePermission.WRITE, new GrantedAuthoritySid("ROLE_TEST3"), false);
service.updateAcl(acl);
assertThat(acl.getEntries()).hasSize(3);
// Check the third entry was added between the two existent ones
assertThat(BasePermission.READ).isEqualTo(acl.getEntries().get(0).getPermission());
assertThat(acl.getEntries().get(0).getSid()).isEqualTo(new GrantedAuthoritySid(
"ROLE_TEST1"));
assertThat(acl.getEntries().get(0).getSid()).isEqualTo(new GrantedAuthoritySid("ROLE_TEST1"));
assertThat(BasePermission.WRITE).isEqualTo(acl.getEntries().get(1).getPermission());
assertThat(acl.getEntries().get(1).getSid()).isEqualTo( new GrantedAuthoritySid(
"ROLE_TEST3"));
assertThat(acl.getEntries().get(1).getSid()).isEqualTo(new GrantedAuthoritySid("ROLE_TEST3"));
assertThat(BasePermission.READ).isEqualTo(acl.getEntries().get(2).getPermission());
assertThat(acl.getEntries().get(2).getSid()).isEqualTo(new GrantedAuthoritySid(
"ROLE_TEST2"));
assertThat(acl.getEntries().get(2).getSid()).isEqualTo(new GrantedAuthoritySid("ROLE_TEST2"));
}
@Test(expected = NotFoundException.class)
public void insertAceFailsForNonExistentElement() {
MutableAcl acl = new AclImpl(objectIdentity, 1, authzStrategy, pgs, null, null,
true, new PrincipalSid("joe"));
MutableAcl acl = new AclImpl(this.objectIdentity, 1, this.authzStrategy, this.pgs, null, null, true,
new PrincipalSid("joe"));
MockAclService service = new MockAclService();
// Insert one permission
acl.insertAce(0, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST1"), true);
service.updateAcl(acl);
acl.insertAce(55, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST2"),
true);
acl.insertAce(55, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST2"), true);
}
@Test
public void deleteAceKeepsInitialOrdering() {
MutableAcl acl = new AclImpl(objectIdentity, 1, authzStrategy, pgs, null, null,
true, new PrincipalSid("joe"));
MutableAcl acl = new AclImpl(this.objectIdentity, 1, this.authzStrategy, this.pgs, null, null, true,
new PrincipalSid("joe"));
MockAclService service = new MockAclService();
// Add several permissions
acl.insertAce(0, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST1"), true);
acl.insertAce(1, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST2"), true);
acl.insertAce(2, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST3"), true);
service.updateAcl(acl);
// Delete first permission and check the order of the remaining permissions is
// kept
acl.deleteAce(0);
assertThat(acl.getEntries()).hasSize(2);
assertThat(acl.getEntries().get(0).getSid()).isEqualTo(new GrantedAuthoritySid(
"ROLE_TEST2"));
assertThat(acl.getEntries().get(1).getSid()).isEqualTo(new GrantedAuthoritySid(
"ROLE_TEST3"));
assertThat(acl.getEntries().get(0).getSid()).isEqualTo(new GrantedAuthoritySid("ROLE_TEST2"));
assertThat(acl.getEntries().get(1).getSid()).isEqualTo(new GrantedAuthoritySid("ROLE_TEST3"));
// Add one more permission and remove the permission in the middle
acl.insertAce(2, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST4"), true);
service.updateAcl(acl);
acl.deleteAce(1);
assertThat(acl.getEntries()).hasSize(2);
assertThat(acl.getEntries().get(0).getSid()).isEqualTo(new GrantedAuthoritySid(
"ROLE_TEST2"));
assertThat(acl.getEntries().get(1).getSid()).isEqualTo(new GrantedAuthoritySid(
"ROLE_TEST4"));
assertThat(acl.getEntries().get(0).getSid()).isEqualTo(new GrantedAuthoritySid("ROLE_TEST2"));
assertThat(acl.getEntries().get(1).getSid()).isEqualTo(new GrantedAuthoritySid("ROLE_TEST4"));
// Remove remaining permissions
acl.deleteAce(1);
acl.deleteAce(0);
@ -221,10 +228,10 @@ public class AclImplTests {
@Test
public void deleteAceFailsForNonExistentElement() {
AclAuthorizationStrategyImpl strategy = new AclAuthorizationStrategyImpl(
new SimpleGrantedAuthority("ROLE_OWNERSHIP"), new SimpleGrantedAuthority(
"ROLE_AUDITING"), new SimpleGrantedAuthority("ROLE_GENERAL"));
MutableAcl acl = new AclImpl(objectIdentity, (1), strategy, pgs, null, null,
true, new PrincipalSid("joe"));
new SimpleGrantedAuthority("ROLE_OWNERSHIP"), new SimpleGrantedAuthority("ROLE_AUDITING"),
new SimpleGrantedAuthority("ROLE_GENERAL"));
MutableAcl acl = new AclImpl(this.objectIdentity, (1), strategy, this.pgs, null, null, true,
new PrincipalSid("joe"));
try {
acl.deleteAce(99);
fail("It should have thrown NotFoundException");
@ -235,8 +242,8 @@ public class AclImplTests {
@Test
public void isGrantingRejectsEmptyParameters() {
MutableAcl acl = new AclImpl(objectIdentity, 1, authzStrategy, pgs, null, null,
true, new PrincipalSid("joe"));
MutableAcl acl = new AclImpl(this.objectIdentity, 1, this.authzStrategy, this.pgs, null, null, true,
new PrincipalSid("joe"));
Sid ben = new PrincipalSid("ben");
try {
acl.isGranted(new ArrayList<>(0), Arrays.asList(ben), false);
@ -254,28 +261,21 @@ public class AclImplTests {
@Test
public void isGrantingGrantsAccessForAclWithNoParent() {
Authentication auth = new TestingAuthenticationToken("ben", "ignored",
"ROLE_GENERAL", "ROLE_GUEST");
Authentication auth = new TestingAuthenticationToken("ben", "ignored", "ROLE_GENERAL", "ROLE_GUEST");
auth.setAuthenticated(true);
SecurityContextHolder.getContext().setAuthentication(auth);
ObjectIdentity rootOid = new ObjectIdentityImpl(TARGET_CLASS, 100);
// Create an ACL which owner is not the authenticated principal
MutableAcl rootAcl = new AclImpl(rootOid, 1, authzStrategy, pgs, null, null,
false, new PrincipalSid("joe"));
MutableAcl rootAcl = new AclImpl(rootOid, 1, this.authzStrategy, this.pgs, null, null, false,
new PrincipalSid("joe"));
// Grant some permissions
rootAcl.insertAce(0, BasePermission.READ, new PrincipalSid("ben"), false);
rootAcl.insertAce(1, BasePermission.WRITE, new PrincipalSid("scott"), true);
rootAcl.insertAce(2, BasePermission.WRITE, new PrincipalSid("rod"), false);
rootAcl.insertAce(3, BasePermission.WRITE, new GrantedAuthoritySid(
"WRITE_ACCESS_ROLE"), true);
rootAcl.insertAce(3, BasePermission.WRITE, new GrantedAuthoritySid("WRITE_ACCESS_ROLE"), true);
// Check permissions granting
List<Permission> permissions = Arrays.asList(BasePermission.READ,
BasePermission.CREATE);
List<Sid> sids = Arrays.asList(new PrincipalSid("ben"), new GrantedAuthoritySid(
"ROLE_GUEST"));
List<Permission> permissions = Arrays.asList(BasePermission.READ, BasePermission.CREATE);
List<Sid> sids = Arrays.asList(new PrincipalSid("ben"), new GrantedAuthoritySid("ROLE_GUEST"));
assertThat(rootAcl.isGranted(permissions, sids, false)).isFalse();
try {
rootAcl.isGranted(permissions, SCOTT, false);
@ -284,14 +284,14 @@ public class AclImplTests {
catch (NotFoundException expected) {
}
assertThat(rootAcl.isGranted(WRITE, SCOTT, false)).isTrue();
assertThat(rootAcl.isGranted(WRITE, Arrays.asList(new PrincipalSid("rod"),
new GrantedAuthoritySid("WRITE_ACCESS_ROLE")), false)).isFalse();
assertThat(rootAcl.isGranted(WRITE, Arrays.asList(new GrantedAuthoritySid(
"WRITE_ACCESS_ROLE"), new PrincipalSid("rod")), false)).isTrue();
assertThat(rootAcl.isGranted(WRITE,
Arrays.asList(new PrincipalSid("rod"), new GrantedAuthoritySid("WRITE_ACCESS_ROLE")), false)).isFalse();
assertThat(rootAcl.isGranted(WRITE,
Arrays.asList(new GrantedAuthoritySid("WRITE_ACCESS_ROLE"), new PrincipalSid("rod")), false)).isTrue();
try {
// Change the type of the Sid and check the granting process
rootAcl.isGranted(WRITE, Arrays.asList(new GrantedAuthoritySid("rod"),
new PrincipalSid("WRITE_ACCESS_ROLE")), false);
rootAcl.isGranted(WRITE,
Arrays.asList(new GrantedAuthoritySid("rod"), new PrincipalSid("WRITE_ACCESS_ROLE")), false);
fail("It should have thrown NotFoundException");
}
catch (NotFoundException expected) {
@ -300,8 +300,7 @@ public class AclImplTests {
@Test
public void isGrantingGrantsAccessForInheritableAcls() {
Authentication auth = new TestingAuthenticationToken("ben", "ignored",
"ROLE_GENERAL");
Authentication auth = new TestingAuthenticationToken("ben", "ignored", "ROLE_GENERAL");
auth.setAuthenticated(true);
SecurityContextHolder.getContext().setAuthentication(auth);
ObjectIdentity grandParentOid = new ObjectIdentityImpl(TARGET_CLASS, 100);
@ -309,60 +308,44 @@ public class AclImplTests {
ObjectIdentity parentOid2 = new ObjectIdentityImpl(TARGET_CLASS, 102);
ObjectIdentity childOid1 = new ObjectIdentityImpl(TARGET_CLASS, 103);
ObjectIdentity childOid2 = new ObjectIdentityImpl(TARGET_CLASS, 104);
// Create ACLs
PrincipalSid joe = new PrincipalSid("joe");
MutableAcl grandParentAcl = new AclImpl(grandParentOid, 1, authzStrategy, pgs,
null, null, false, joe);
MutableAcl parentAcl1 = new AclImpl(parentOid1, 2, authzStrategy, pgs, null,
null, true, joe);
MutableAcl parentAcl2 = new AclImpl(parentOid2, 3, authzStrategy, pgs, null,
null, true, joe);
MutableAcl childAcl1 = new AclImpl(childOid1, 4, authzStrategy, pgs, null, null,
true, joe);
MutableAcl childAcl2 = new AclImpl(childOid2, 4, authzStrategy, pgs, null, null,
false, joe);
MutableAcl grandParentAcl = new AclImpl(grandParentOid, 1, this.authzStrategy, this.pgs, null, null, false,
joe);
MutableAcl parentAcl1 = new AclImpl(parentOid1, 2, this.authzStrategy, this.pgs, null, null, true, joe);
MutableAcl parentAcl2 = new AclImpl(parentOid2, 3, this.authzStrategy, this.pgs, null, null, true, joe);
MutableAcl childAcl1 = new AclImpl(childOid1, 4, this.authzStrategy, this.pgs, null, null, true, joe);
MutableAcl childAcl2 = new AclImpl(childOid2, 4, this.authzStrategy, this.pgs, null, null, false, joe);
// Create hierarchies
childAcl2.setParent(childAcl1);
childAcl1.setParent(parentAcl1);
parentAcl2.setParent(grandParentAcl);
parentAcl1.setParent(grandParentAcl);
// Add some permissions
grandParentAcl.insertAce(0, BasePermission.READ, new GrantedAuthoritySid(
"ROLE_USER_READ"), true);
grandParentAcl.insertAce(0, BasePermission.READ, new GrantedAuthoritySid("ROLE_USER_READ"), true);
grandParentAcl.insertAce(1, BasePermission.WRITE, new PrincipalSid("ben"), true);
grandParentAcl
.insertAce(2, BasePermission.DELETE, new PrincipalSid("ben"), false);
grandParentAcl.insertAce(3, BasePermission.DELETE, new PrincipalSid("scott"),
true);
grandParentAcl.insertAce(2, BasePermission.DELETE, new PrincipalSid("ben"), false);
grandParentAcl.insertAce(3, BasePermission.DELETE, new PrincipalSid("scott"), true);
parentAcl1.insertAce(0, BasePermission.READ, new PrincipalSid("scott"), true);
parentAcl1.insertAce(1, BasePermission.DELETE, new PrincipalSid("scott"), false);
parentAcl2.insertAce(0, BasePermission.CREATE, new PrincipalSid("ben"), true);
childAcl1.insertAce(0, BasePermission.CREATE, new PrincipalSid("scott"), true);
// Check granting process for parent1
assertThat(parentAcl1.isGranted(READ, SCOTT, false)).isTrue();
assertThat(parentAcl1.isGranted(READ,
Arrays.asList((Sid) new GrantedAuthoritySid("ROLE_USER_READ")), false))
assertThat(parentAcl1.isGranted(READ, Arrays.asList((Sid) new GrantedAuthoritySid("ROLE_USER_READ")), false))
.isTrue();
assertThat(parentAcl1.isGranted(WRITE, BEN, false)).isTrue();
assertThat(parentAcl1.isGranted(DELETE, BEN, false)).isFalse();
assertThat(parentAcl1.isGranted(DELETE, SCOTT, false)).isFalse();
// Check granting process for parent2
assertThat(parentAcl2.isGranted(CREATE, BEN, false)).isTrue();
assertThat(parentAcl2.isGranted(WRITE, BEN, false)).isTrue();
assertThat(parentAcl2.isGranted(DELETE, BEN, false)).isFalse();
// Check granting process for child1
assertThat(childAcl1.isGranted(CREATE, SCOTT, false)).isTrue();
assertThat(childAcl1.isGranted(READ,
Arrays.asList((Sid) new GrantedAuthoritySid("ROLE_USER_READ")), false))
assertThat(childAcl1.isGranted(READ, Arrays.asList((Sid) new GrantedAuthoritySid("ROLE_USER_READ")), false))
.isTrue();
assertThat(childAcl1.isGranted(DELETE, BEN, false)).isFalse();
// Check granting process for child2 (doesn't inherit the permissions from its
// parent)
try {
@ -372,8 +355,7 @@ public class AclImplTests {
catch (NotFoundException expected) {
}
try {
childAcl2.isGranted(CREATE,
Arrays.asList((Sid) new PrincipalSid("joe")), false);
childAcl2.isGranted(CREATE, Arrays.asList((Sid) new PrincipalSid("joe")), false);
fail("It should have thrown NotFoundException");
}
catch (NotFoundException expected) {
@ -382,30 +364,23 @@ public class AclImplTests {
@Test
public void updatedAceValuesAreCorrectlyReflectedInAcl() {
Authentication auth = new TestingAuthenticationToken("ben", "ignored",
"ROLE_GENERAL");
Authentication auth = new TestingAuthenticationToken("ben", "ignored", "ROLE_GENERAL");
auth.setAuthenticated(true);
SecurityContextHolder.getContext().setAuthentication(auth);
MutableAcl acl = new AclImpl(objectIdentity, 1, authzStrategy, pgs, null, null,
false, new PrincipalSid("joe"));
MutableAcl acl = new AclImpl(this.objectIdentity, 1, this.authzStrategy, this.pgs, null, null, false,
new PrincipalSid("joe"));
MockAclService service = new MockAclService();
acl.insertAce(0, BasePermission.READ, new GrantedAuthoritySid("ROLE_USER_READ"),
true);
acl.insertAce(1, BasePermission.WRITE, new GrantedAuthoritySid("ROLE_USER_READ"),
true);
acl.insertAce(0, BasePermission.READ, new GrantedAuthoritySid("ROLE_USER_READ"), true);
acl.insertAce(1, BasePermission.WRITE, new GrantedAuthoritySid("ROLE_USER_READ"), true);
acl.insertAce(2, BasePermission.CREATE, new PrincipalSid("ben"), true);
service.updateAcl(acl);
assertThat(BasePermission.READ).isEqualTo(acl.getEntries().get(0).getPermission());
assertThat(BasePermission.WRITE).isEqualTo(acl.getEntries().get(1).getPermission());
assertThat(BasePermission.CREATE).isEqualTo(acl.getEntries().get(2).getPermission());
// Change each permission
acl.updateAce(0, BasePermission.CREATE);
acl.updateAce(1, BasePermission.DELETE);
acl.updateAce(2, BasePermission.READ);
// Check the change was successfully made
assertThat(BasePermission.CREATE).isEqualTo(acl.getEntries().get(0).getPermission());
assertThat(BasePermission.DELETE).isEqualTo(acl.getEntries().get(1).getPermission());
@ -414,37 +389,22 @@ public class AclImplTests {
@Test
public void auditableEntryFlagsAreUpdatedCorrectly() {
Authentication auth = new TestingAuthenticationToken("ben", "ignored",
"ROLE_AUDITING", "ROLE_GENERAL");
Authentication auth = new TestingAuthenticationToken("ben", "ignored", "ROLE_AUDITING", "ROLE_GENERAL");
auth.setAuthenticated(true);
SecurityContextHolder.getContext().setAuthentication(auth);
MutableAcl acl = new AclImpl(objectIdentity, 1, authzStrategy, pgs, null, null,
false, new PrincipalSid("joe"));
MutableAcl acl = new AclImpl(this.objectIdentity, 1, this.authzStrategy, this.pgs, null, null, false,
new PrincipalSid("joe"));
MockAclService service = new MockAclService();
acl.insertAce(0, BasePermission.READ, new GrantedAuthoritySid("ROLE_USER_READ"),
true);
acl.insertAce(1, BasePermission.WRITE, new GrantedAuthoritySid("ROLE_USER_READ"),
true);
acl.insertAce(0, BasePermission.READ, new GrantedAuthoritySid("ROLE_USER_READ"), true);
acl.insertAce(1, BasePermission.WRITE, new GrantedAuthoritySid("ROLE_USER_READ"), true);
service.updateAcl(acl);
assertThat(((AuditableAccessControlEntry) acl.getEntries().get(0))
.isAuditFailure())
.isFalse();
assertThat(((AuditableAccessControlEntry) acl.getEntries().get(1))
.isAuditFailure())
.isFalse();
assertThat(((AuditableAccessControlEntry) acl.getEntries().get(0))
.isAuditSuccess())
.isFalse();
assertThat(((AuditableAccessControlEntry) acl.getEntries().get(1))
.isAuditSuccess())
.isFalse();
assertThat(((AuditableAccessControlEntry) acl.getEntries().get(0)).isAuditFailure()).isFalse();
assertThat(((AuditableAccessControlEntry) acl.getEntries().get(1)).isAuditFailure()).isFalse();
assertThat(((AuditableAccessControlEntry) acl.getEntries().get(0)).isAuditSuccess()).isFalse();
assertThat(((AuditableAccessControlEntry) acl.getEntries().get(1)).isAuditSuccess()).isFalse();
// Change each permission
((AuditableAcl) acl).updateAuditing(0, true, true);
((AuditableAcl) acl).updateAuditing(1, true, true);
// Check the change was successfuly made
assertThat(acl.getEntries()).extracting("auditSuccess").containsOnly(true, true);
assertThat(acl.getEntries()).extracting("auditFailure").containsOnly(true, true);
@ -452,86 +412,74 @@ public class AclImplTests {
@Test
public void gettersAndSettersAreConsistent() {
Authentication auth = new TestingAuthenticationToken("ben", "ignored",
"ROLE_GENERAL");
Authentication auth = new TestingAuthenticationToken("ben", "ignored", "ROLE_GENERAL");
auth.setAuthenticated(true);
SecurityContextHolder.getContext().setAuthentication(auth);
ObjectIdentity identity = new ObjectIdentityImpl(TARGET_CLASS, (100));
ObjectIdentity identity2 = new ObjectIdentityImpl(TARGET_CLASS, (101));
MutableAcl acl = new AclImpl(identity, 1, authzStrategy, pgs, null, null, true,
MutableAcl acl = new AclImpl(identity, 1, this.authzStrategy, this.pgs, null, null, true,
new PrincipalSid("joe"));
MutableAcl parentAcl = new AclImpl(identity2, 2, this.authzStrategy, this.pgs, null, null, true,
new PrincipalSid("joe"));
MutableAcl parentAcl = new AclImpl(identity2, 2, authzStrategy, pgs, null, null,
true, new PrincipalSid("joe"));
MockAclService service = new MockAclService();
acl.insertAce(0, BasePermission.READ, new GrantedAuthoritySid("ROLE_USER_READ"),
true);
acl.insertAce(1, BasePermission.WRITE, new GrantedAuthoritySid("ROLE_USER_READ"),
true);
acl.insertAce(0, BasePermission.READ, new GrantedAuthoritySid("ROLE_USER_READ"), true);
acl.insertAce(1, BasePermission.WRITE, new GrantedAuthoritySid("ROLE_USER_READ"), true);
service.updateAcl(acl);
assertThat(1).isEqualTo(acl.getId());
assertThat(identity).isEqualTo(acl.getObjectIdentity());
assertThat(new PrincipalSid("joe")).isEqualTo(acl.getOwner());
assertThat(acl.getParentAcl()).isNull();
assertThat(acl.isEntriesInheriting()).isTrue();
assertThat(acl.getEntries()).hasSize(2);
acl.setParent(parentAcl);
assertThat(parentAcl).isEqualTo(acl.getParentAcl());
acl.setEntriesInheriting(false);
assertThat(acl.isEntriesInheriting()).isFalse();
acl.setOwner(new PrincipalSid("ben"));
assertThat(new PrincipalSid("ben")).isEqualTo(acl.getOwner());
}
@Test
public void isSidLoadedBehavesAsExpected() {
List<Sid> loadedSids = Arrays.asList(new PrincipalSid("ben"),
new GrantedAuthoritySid("ROLE_IGNORED"));
MutableAcl acl = new AclImpl(objectIdentity, 1, authzStrategy, pgs, null,
loadedSids, true, new PrincipalSid("joe"));
List<Sid> loadedSids = Arrays.asList(new PrincipalSid("ben"), new GrantedAuthoritySid("ROLE_IGNORED"));
MutableAcl acl = new AclImpl(this.objectIdentity, 1, this.authzStrategy, this.pgs, null, loadedSids, true,
new PrincipalSid("joe"));
assertThat(acl.isSidLoaded(loadedSids)).isTrue();
assertThat(acl.isSidLoaded(Arrays.asList(new GrantedAuthoritySid("ROLE_IGNORED"),
new PrincipalSid("ben"))))
.isTrue();
assertThat(acl.isSidLoaded(Arrays.asList((Sid) new GrantedAuthoritySid(
"ROLE_IGNORED"))))
.isTrue();
assertThat(acl.isSidLoaded(Arrays.asList(new GrantedAuthoritySid("ROLE_IGNORED"), new PrincipalSid("ben"))))
.isTrue();
assertThat(acl.isSidLoaded(Arrays.asList((Sid) new GrantedAuthoritySid("ROLE_IGNORED")))).isTrue();
assertThat(acl.isSidLoaded(BEN)).isTrue();
assertThat(acl.isSidLoaded(null)).isTrue();
assertThat(acl.isSidLoaded(new ArrayList<>(0))).isTrue();
assertThat(acl.isSidLoaded(Arrays.asList(new GrantedAuthoritySid(
"ROLE_IGNORED"), new GrantedAuthoritySid("ROLE_IGNORED"))))
.isTrue();
assertThat(acl.isSidLoaded(Arrays.asList(new GrantedAuthoritySid(
"ROLE_GENERAL"), new GrantedAuthoritySid("ROLE_IGNORED"))))
.isFalse();
assertThat(acl.isSidLoaded(Arrays.asList(new GrantedAuthoritySid(
"ROLE_IGNORED"), new GrantedAuthoritySid("ROLE_GENERAL"))))
.isFalse();
assertThat(acl.isSidLoaded(
Arrays.asList(new GrantedAuthoritySid("ROLE_IGNORED"), new GrantedAuthoritySid("ROLE_IGNORED"))))
.isTrue();
assertThat(acl.isSidLoaded(
Arrays.asList(new GrantedAuthoritySid("ROLE_GENERAL"), new GrantedAuthoritySid("ROLE_IGNORED"))))
.isFalse();
assertThat(acl.isSidLoaded(
Arrays.asList(new GrantedAuthoritySid("ROLE_IGNORED"), new GrantedAuthoritySid("ROLE_GENERAL"))))
.isFalse();
}
@Test(expected = NotFoundException.class)
public void insertAceRaisesNotFoundExceptionForIndexLessThanZero() {
AclImpl acl = new AclImpl(objectIdentity, 1, authzStrategy, pgs, null, null,
true, new PrincipalSid("joe"));
AclImpl acl = new AclImpl(this.objectIdentity, 1, this.authzStrategy, this.pgs, null, null, true,
new PrincipalSid("joe"));
acl.insertAce(-1, mock(Permission.class), mock(Sid.class), true);
}
@Test(expected = NotFoundException.class)
public void deleteAceRaisesNotFoundExceptionForIndexLessThanZero() {
AclImpl acl = new AclImpl(objectIdentity, 1, authzStrategy, pgs, null, null,
true, new PrincipalSid("joe"));
AclImpl acl = new AclImpl(this.objectIdentity, 1, this.authzStrategy, this.pgs, null, null, true,
new PrincipalSid("joe"));
acl.deleteAce(-1);
}
@Test(expected = NotFoundException.class)
public void insertAceRaisesNotFoundExceptionForIndexGreaterThanSize() {
AclImpl acl = new AclImpl(objectIdentity, 1, authzStrategy, pgs, null, null,
true, new PrincipalSid("joe"));
AclImpl acl = new AclImpl(this.objectIdentity, 1, this.authzStrategy, this.pgs, null, null, true,
new PrincipalSid("joe"));
// Insert at zero, OK.
acl.insertAce(0, mock(Permission.class), mock(Sid.class), true);
// Size is now 1
@ -541,8 +489,8 @@ public class AclImplTests {
// SEC-1151
@Test(expected = NotFoundException.class)
public void deleteAceRaisesNotFoundExceptionForIndexEqualToSize() {
AclImpl acl = new AclImpl(objectIdentity, 1, authzStrategy, pgs, null, null,
true, new PrincipalSid("joe"));
AclImpl acl = new AclImpl(this.objectIdentity, 1, this.authzStrategy, this.pgs, null, null, true,
new PrincipalSid("joe"));
acl.insertAce(0, mock(Permission.class), mock(Sid.class), true);
// Size is now 1
acl.deleteAce(1);
@ -551,12 +499,9 @@ public class AclImplTests {
// SEC-1795
@Test
public void changingParentIsSuccessful() {
AclImpl parentAcl = new AclImpl(objectIdentity, 1L, authzStrategy,
mockAuditLogger);
AclImpl childAcl = new AclImpl(objectIdentity, 2L, authzStrategy, mockAuditLogger);
AclImpl changeParentAcl = new AclImpl(objectIdentity, 3L, authzStrategy,
mockAuditLogger);
AclImpl parentAcl = new AclImpl(this.objectIdentity, 1L, this.authzStrategy, this.mockAuditLogger);
AclImpl childAcl = new AclImpl(this.objectIdentity, 2L, this.authzStrategy, this.mockAuditLogger);
AclImpl changeParentAcl = new AclImpl(this.objectIdentity, 3L, this.authzStrategy, this.mockAuditLogger);
childAcl.setParent(parentAcl);
childAcl.setParent(changeParentAcl);
}
@ -564,11 +509,12 @@ public class AclImplTests {
// SEC-2342
@Test
public void maskPermissionGrantingStrategy() {
DefaultPermissionGrantingStrategy maskPgs = new MaskPermissionGrantingStrategy(mockAuditLogger);
DefaultPermissionGrantingStrategy maskPgs = new MaskPermissionGrantingStrategy(this.mockAuditLogger);
MockAclService service = new MockAclService();
AclImpl acl = new AclImpl(objectIdentity, 1, authzStrategy, maskPgs, null, null,
true, new PrincipalSid("joe"));
Permission permission = permissionFactory.buildFromMask(BasePermission.READ.getMask() | BasePermission.WRITE.getMask());
AclImpl acl = new AclImpl(this.objectIdentity, 1, this.authzStrategy, maskPgs, null, null, true,
new PrincipalSid("joe"));
Permission permission = this.permissionFactory
.buildFromMask(BasePermission.READ.getMask() | BasePermission.WRITE.getMask());
Sid sid = new PrincipalSid("ben");
acl.insertAce(0, permission, sid, true);
service.updateAcl(acl);
@ -579,27 +525,21 @@ public class AclImplTests {
@Test
public void hashCodeWithoutStackOverFlow() throws Exception {
//given
Sid sid = new PrincipalSid("pSid");
ObjectIdentity oid = new ObjectIdentityImpl("type", 1);
AclAuthorizationStrategy authStrategy = new AclAuthorizationStrategyImpl(new SimpleGrantedAuthority("role"));
PermissionGrantingStrategy grantingStrategy = new DefaultPermissionGrantingStrategy(new ConsoleAuditLogger());
AclImpl acl = new AclImpl(oid, 1L, authStrategy, grantingStrategy, null, null, false, sid);
AclImpl acl = new AclImpl(oid, 1L, authStrategy, grantingStrategy, null, null, false, sid);
AccessControlEntryImpl ace = new AccessControlEntryImpl(1L, acl, sid, BasePermission.READ, true, true, true);
Field fieldAces = FieldUtils.getField(AclImpl.class, "aces");
Field fieldAces = FieldUtils.getField(AclImpl.class, "aces");
fieldAces.setAccessible(true);
List<AccessControlEntryImpl> aces = (List<AccessControlEntryImpl>) fieldAces.get(acl);
aces.add(ace);
//when - then none StackOverFlowError been raised
ace.hashCode();
}
// ~ Inner Classes
// ==================================================================================================
private static class MaskPermissionGrantingStrategy extends DefaultPermissionGrantingStrategy {
MaskPermissionGrantingStrategy(AuditLogger auditLogger) {
super(auditLogger);
}
@ -611,26 +551,28 @@ public class AclImplTests {
}
return super.isGranted(ace, p);
}
}
private class MockAclService implements MutableAclService {
public MutableAcl createAcl(ObjectIdentity objectIdentity)
throws AlreadyExistsException {
@Override
public MutableAcl createAcl(ObjectIdentity objectIdentity) throws AlreadyExistsException {
return null;
}
public void deleteAcl(ObjectIdentity objectIdentity, boolean deleteChildren)
throws ChildrenExistException {
@Override
public void deleteAcl(ObjectIdentity objectIdentity, boolean deleteChildren) throws ChildrenExistException {
}
/*
* Mock implementation that populates the aces list with fully initialized
* AccessControlEntries
*
* @see
* org.springframework.security.acls.MutableAclService#updateAcl(org.springframework
* .security.acls.MutableAcl)
* @see org.springframework.security.acls.MutableAclService#updateAcl(org.
* springframework .security.acls.MutableAcl)
*/
@Override
@SuppressWarnings("unchecked")
public MutableAcl updateAcl(MutableAcl acl) throws NotFoundException {
List<AccessControlEntry> oldAces = acl.getEntries();
@ -640,45 +582,47 @@ public class AclImplTests {
try {
newAces = (List) acesField.get(acl);
newAces.clear();
for (int i = 0; i < oldAces.size(); i++) {
AccessControlEntry ac = oldAces.get(i);
// Just give an ID to all this acl's aces, rest of the fields are just
// copied
newAces.add(new AccessControlEntryImpl((i + 1), ac.getAcl(), ac
.getSid(), ac.getPermission(), ac.isGranting(),
((AuditableAccessControlEntry) ac).isAuditSuccess(),
newAces.add(new AccessControlEntryImpl((i + 1), ac.getAcl(), ac.getSid(), ac.getPermission(),
ac.isGranting(), ((AuditableAccessControlEntry) ac).isAuditSuccess(),
((AuditableAccessControlEntry) ac).isAuditFailure()));
}
}
catch (IllegalAccessException e) {
e.printStackTrace();
catch (IllegalAccessException ex) {
ex.printStackTrace();
}
return acl;
}
@Override
public List<ObjectIdentity> findChildren(ObjectIdentity parentIdentity) {
return null;
}
@Override
public Acl readAclById(ObjectIdentity object) throws NotFoundException {
return null;
}
public Acl readAclById(ObjectIdentity object, List<Sid> sids)
@Override
public Acl readAclById(ObjectIdentity object, List<Sid> sids) throws NotFoundException {
return null;
}
@Override
public Map<ObjectIdentity, Acl> readAclsById(List<ObjectIdentity> objects) throws NotFoundException {
return null;
}
@Override
public Map<ObjectIdentity, Acl> readAclsById(List<ObjectIdentity> objects, List<Sid> sids)
throws NotFoundException {
return null;
}
public Map<ObjectIdentity, Acl> readAclsById(List<ObjectIdentity> objects)
throws NotFoundException {
return null;
}
public Map<ObjectIdentity, Acl> readAclsById(List<ObjectIdentity> objects,
List<Sid> sids) throws NotFoundException {
return null;
}
}
}

182
acl/src/test/java/org/springframework/security/acls/domain/AclImplementationSecurityCheckTests.java
View File

@ -13,11 +13,13 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.domain;
import static org.assertj.core.api.Assertions.*;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.junit.*;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.acls.model.Acl;
import org.springframework.security.acls.model.MutableAcl;
@ -28,6 +30,8 @@ import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import static org.assertj.core.api.Assertions.fail;
/**
* Test class for {@link AclAuthorizationStrategyImpl} and {@link AclImpl} security
* checks.
@ -35,10 +39,8 @@ import org.springframework.security.core.context.SecurityContextHolder;
* @author Andrei Stefan
*/
public class AclImplementationSecurityCheckTests {
private static final String TARGET_CLASS = "org.springframework.security.acls.TargetObject";
// ~ Methods
// ========================================================================================================
private static final String TARGET_CLASS = "org.springframework.security.acls.TargetObject";
@Before
public void setUp() {
@ -52,50 +54,38 @@ public class AclImplementationSecurityCheckTests {
@Test
public void testSecurityCheckNoACEs() {
Authentication auth = new TestingAuthenticationToken("user", "password",
"ROLE_GENERAL", "ROLE_AUDITING", "ROLE_OWNERSHIP");
Authentication auth = new TestingAuthenticationToken("user", "password", "ROLE_GENERAL", "ROLE_AUDITING",
"ROLE_OWNERSHIP");
auth.setAuthenticated(true);
SecurityContextHolder.getContext().setAuthentication(auth);
ObjectIdentity identity = new ObjectIdentityImpl(TARGET_CLASS, 100L);
AclAuthorizationStrategy aclAuthorizationStrategy = new AclAuthorizationStrategyImpl(
new SimpleGrantedAuthority("ROLE_OWNERSHIP"), new SimpleGrantedAuthority(
"ROLE_AUDITING"), new SimpleGrantedAuthority("ROLE_GENERAL"));
Acl acl = new AclImpl(identity, 1L, aclAuthorizationStrategy,
new ConsoleAuditLogger());
aclAuthorizationStrategy.securityCheck(acl,
AclAuthorizationStrategy.CHANGE_GENERAL);
aclAuthorizationStrategy.securityCheck(acl,
AclAuthorizationStrategy.CHANGE_AUDITING);
aclAuthorizationStrategy.securityCheck(acl,
AclAuthorizationStrategy.CHANGE_OWNERSHIP);
new SimpleGrantedAuthority("ROLE_OWNERSHIP"), new SimpleGrantedAuthority("ROLE_AUDITING"),
new SimpleGrantedAuthority("ROLE_GENERAL"));
Acl acl = new AclImpl(identity, 1L, aclAuthorizationStrategy, new ConsoleAuditLogger());
aclAuthorizationStrategy.securityCheck(acl, AclAuthorizationStrategy.CHANGE_GENERAL);
aclAuthorizationStrategy.securityCheck(acl, AclAuthorizationStrategy.CHANGE_AUDITING);
aclAuthorizationStrategy.securityCheck(acl, AclAuthorizationStrategy.CHANGE_OWNERSHIP);
// Create another authorization strategy
AclAuthorizationStrategy aclAuthorizationStrategy2 = new AclAuthorizationStrategyImpl(
new SimpleGrantedAuthority("ROLE_ONE"), new SimpleGrantedAuthority(
"ROLE_TWO"), new SimpleGrantedAuthority("ROLE_THREE"));
Acl acl2 = new AclImpl(identity, 1L, aclAuthorizationStrategy2,
new ConsoleAuditLogger());
new SimpleGrantedAuthority("ROLE_ONE"), new SimpleGrantedAuthority("ROLE_TWO"),
new SimpleGrantedAuthority("ROLE_THREE"));
Acl acl2 = new AclImpl(identity, 1L, aclAuthorizationStrategy2, new ConsoleAuditLogger());
// Check access in case the principal has no authorization rights
try {
aclAuthorizationStrategy2.securityCheck(acl2,
AclAuthorizationStrategy.CHANGE_GENERAL);
aclAuthorizationStrategy2.securityCheck(acl2, AclAuthorizationStrategy.CHANGE_GENERAL);
fail("It should have thrown NotFoundException");
}
catch (NotFoundException expected) {
}
try {
aclAuthorizationStrategy2.securityCheck(acl2,
AclAuthorizationStrategy.CHANGE_AUDITING);
aclAuthorizationStrategy2.securityCheck(acl2, AclAuthorizationStrategy.CHANGE_AUDITING);
fail("It should have thrown NotFoundException");
}
catch (NotFoundException expected) {
}
try {
aclAuthorizationStrategy2.securityCheck(acl2,
AclAuthorizationStrategy.CHANGE_OWNERSHIP);
aclAuthorizationStrategy2.securityCheck(acl2, AclAuthorizationStrategy.CHANGE_OWNERSHIP);
fail("It should have thrown NotFoundException");
}
catch (NotFoundException expected) {
@ -105,100 +95,71 @@ public class AclImplementationSecurityCheckTests {
@Test
public void testSecurityCheckWithMultipleACEs() {
// Create a simple authentication with ROLE_GENERAL
Authentication auth = new TestingAuthenticationToken("user", "password",
"ROLE_GENERAL");
Authentication auth = new TestingAuthenticationToken("user", "password", "ROLE_GENERAL");
auth.setAuthenticated(true);
SecurityContextHolder.getContext().setAuthentication(auth);
ObjectIdentity identity = new ObjectIdentityImpl(TARGET_CLASS, 100L);
// Authorization strategy will require a different role for each access
AclAuthorizationStrategy aclAuthorizationStrategy = new AclAuthorizationStrategyImpl(
new SimpleGrantedAuthority("ROLE_OWNERSHIP"), new SimpleGrantedAuthority(
"ROLE_AUDITING"), new SimpleGrantedAuthority("ROLE_GENERAL"));
new SimpleGrantedAuthority("ROLE_OWNERSHIP"), new SimpleGrantedAuthority("ROLE_AUDITING"),
new SimpleGrantedAuthority("ROLE_GENERAL"));
// Let's give the principal the ADMINISTRATION permission, without
// granting access
MutableAcl aclFirstDeny = new AclImpl(identity, 1L,
aclAuthorizationStrategy, new ConsoleAuditLogger());
aclFirstDeny.insertAce(0, BasePermission.ADMINISTRATION, new PrincipalSid(auth),
false);
MutableAcl aclFirstDeny = new AclImpl(identity, 1L, aclAuthorizationStrategy, new ConsoleAuditLogger());
aclFirstDeny.insertAce(0, BasePermission.ADMINISTRATION, new PrincipalSid(auth), false);
// The CHANGE_GENERAL test should pass as the principal has ROLE_GENERAL
aclAuthorizationStrategy.securityCheck(aclFirstDeny,
AclAuthorizationStrategy.CHANGE_GENERAL);
aclAuthorizationStrategy.securityCheck(aclFirstDeny, AclAuthorizationStrategy.CHANGE_GENERAL);
// The CHANGE_AUDITING and CHANGE_OWNERSHIP should fail since the
// principal doesn't have these authorities,
// nor granting access
try {
aclAuthorizationStrategy.securityCheck(aclFirstDeny,
AclAuthorizationStrategy.CHANGE_AUDITING);
aclAuthorizationStrategy.securityCheck(aclFirstDeny, AclAuthorizationStrategy.CHANGE_AUDITING);
fail("It should have thrown AccessDeniedException");
}
catch (AccessDeniedException expected) {
}
try {
aclAuthorizationStrategy.securityCheck(aclFirstDeny,
AclAuthorizationStrategy.CHANGE_OWNERSHIP);
aclAuthorizationStrategy.securityCheck(aclFirstDeny, AclAuthorizationStrategy.CHANGE_OWNERSHIP);
fail("It should have thrown AccessDeniedException");
}
catch (AccessDeniedException expected) {
}
// Add granting access to this principal
aclFirstDeny.insertAce(1, BasePermission.ADMINISTRATION, new PrincipalSid(auth),
true);
aclFirstDeny.insertAce(1, BasePermission.ADMINISTRATION, new PrincipalSid(auth), true);
// and try again for CHANGE_AUDITING - the first ACE's granting flag
// (false) will deny this access
try {
aclAuthorizationStrategy.securityCheck(aclFirstDeny,
AclAuthorizationStrategy.CHANGE_AUDITING);
aclAuthorizationStrategy.securityCheck(aclFirstDeny, AclAuthorizationStrategy.CHANGE_AUDITING);
fail("It should have thrown AccessDeniedException");
}
catch (AccessDeniedException expected) {
}
// Create another ACL and give the principal the ADMINISTRATION
// permission, with granting access
MutableAcl aclFirstAllow = new AclImpl(identity, 1L,
aclAuthorizationStrategy, new ConsoleAuditLogger());
aclFirstAllow.insertAce(0, BasePermission.ADMINISTRATION, new PrincipalSid(auth),
true);
MutableAcl aclFirstAllow = new AclImpl(identity, 1L, aclAuthorizationStrategy, new ConsoleAuditLogger());
aclFirstAllow.insertAce(0, BasePermission.ADMINISTRATION, new PrincipalSid(auth), true);
// The CHANGE_AUDITING test should pass as there is one ACE with
// granting access
aclAuthorizationStrategy.securityCheck(aclFirstAllow,
AclAuthorizationStrategy.CHANGE_AUDITING);
aclAuthorizationStrategy.securityCheck(aclFirstAllow, AclAuthorizationStrategy.CHANGE_AUDITING);
// Add a deny ACE and test again for CHANGE_AUDITING
aclFirstAllow.insertAce(1, BasePermission.ADMINISTRATION, new PrincipalSid(auth),
false);
aclFirstAllow.insertAce(1, BasePermission.ADMINISTRATION, new PrincipalSid(auth), false);
try {
aclAuthorizationStrategy.securityCheck(aclFirstAllow,
AclAuthorizationStrategy.CHANGE_AUDITING);
aclAuthorizationStrategy.securityCheck(aclFirstAllow, AclAuthorizationStrategy.CHANGE_AUDITING);
}
catch (AccessDeniedException notExpected) {
fail("It shouldn't have thrown AccessDeniedException");
}
// Create an ACL with no ACE
MutableAcl aclNoACE = new AclImpl(identity, 1L,
aclAuthorizationStrategy, new ConsoleAuditLogger());
MutableAcl aclNoACE = new AclImpl(identity, 1L, aclAuthorizationStrategy, new ConsoleAuditLogger());
try {
aclAuthorizationStrategy.securityCheck(aclNoACE,
AclAuthorizationStrategy.CHANGE_AUDITING);
aclAuthorizationStrategy.securityCheck(aclNoACE, AclAuthorizationStrategy.CHANGE_AUDITING);
fail("It should have thrown NotFoundException");
}
catch (NotFoundException expected) {
}
// and still grant access for CHANGE_GENERAL
try {
aclAuthorizationStrategy.securityCheck(aclNoACE,
AclAuthorizationStrategy.CHANGE_GENERAL);
aclAuthorizationStrategy.securityCheck(aclNoACE, AclAuthorizationStrategy.CHANGE_GENERAL);
}
catch (NotFoundException expected) {
fail("It shouldn't have thrown NotFoundException");
@ -208,64 +169,46 @@ public class AclImplementationSecurityCheckTests {
@Test
public void testSecurityCheckWithInheritableACEs() {
// Create a simple authentication with ROLE_GENERAL
Authentication auth = new TestingAuthenticationToken("user", "password",
"ROLE_GENERAL");
Authentication auth = new TestingAuthenticationToken("user", "password", "ROLE_GENERAL");
auth.setAuthenticated(true);
SecurityContextHolder.getContext().setAuthentication(auth);
ObjectIdentity identity = new ObjectIdentityImpl(TARGET_CLASS, 100);
// Authorization strategy will require a different role for each access
AclAuthorizationStrategy aclAuthorizationStrategy = new AclAuthorizationStrategyImpl(
new SimpleGrantedAuthority("ROLE_ONE"), new SimpleGrantedAuthority(
"ROLE_TWO"), new SimpleGrantedAuthority("ROLE_GENERAL"));
new SimpleGrantedAuthority("ROLE_ONE"), new SimpleGrantedAuthority("ROLE_TWO"),
new SimpleGrantedAuthority("ROLE_GENERAL"));
// Let's give the principal an ADMINISTRATION permission, with granting
// access
MutableAcl parentAcl = new AclImpl(identity, 1, aclAuthorizationStrategy,
new ConsoleAuditLogger());
parentAcl.insertAce(0, BasePermission.ADMINISTRATION, new PrincipalSid(auth),
true);
MutableAcl childAcl = new AclImpl(identity, 2, aclAuthorizationStrategy,
new ConsoleAuditLogger());
MutableAcl parentAcl = new AclImpl(identity, 1, aclAuthorizationStrategy, new ConsoleAuditLogger());
parentAcl.insertAce(0, BasePermission.ADMINISTRATION, new PrincipalSid(auth), true);
MutableAcl childAcl = new AclImpl(identity, 2, aclAuthorizationStrategy, new ConsoleAuditLogger());
// Check against the 'child' acl, which doesn't offer any authorization
// rights on CHANGE_OWNERSHIP
try {
aclAuthorizationStrategy.securityCheck(childAcl,
AclAuthorizationStrategy.CHANGE_OWNERSHIP);
aclAuthorizationStrategy.securityCheck(childAcl, AclAuthorizationStrategy.CHANGE_OWNERSHIP);
fail("It should have thrown NotFoundException");
}
catch (NotFoundException expected) {
}
// Link the child with its parent and test again against the
// CHANGE_OWNERSHIP right
childAcl.setParent(parentAcl);
childAcl.setEntriesInheriting(true);
try {
aclAuthorizationStrategy.securityCheck(childAcl,
AclAuthorizationStrategy.CHANGE_OWNERSHIP);
aclAuthorizationStrategy.securityCheck(childAcl, AclAuthorizationStrategy.CHANGE_OWNERSHIP);
}
catch (NotFoundException expected) {
fail("It shouldn't have thrown NotFoundException");
}
// Create a root parent and link it to the middle parent
MutableAcl rootParentAcl = new AclImpl(identity, 1, aclAuthorizationStrategy,
new ConsoleAuditLogger());
parentAcl = new AclImpl(identity, 1, aclAuthorizationStrategy,
new ConsoleAuditLogger());
rootParentAcl.insertAce(0, BasePermission.ADMINISTRATION, new PrincipalSid(auth),
true);
MutableAcl rootParentAcl = new AclImpl(identity, 1, aclAuthorizationStrategy, new ConsoleAuditLogger());
parentAcl = new AclImpl(identity, 1, aclAuthorizationStrategy, new ConsoleAuditLogger());
rootParentAcl.insertAce(0, BasePermission.ADMINISTRATION, new PrincipalSid(auth), true);
parentAcl.setEntriesInheriting(true);
parentAcl.setParent(rootParentAcl);
childAcl.setParent(parentAcl);
try {
aclAuthorizationStrategy.securityCheck(childAcl,
AclAuthorizationStrategy.CHANGE_OWNERSHIP);
aclAuthorizationStrategy.securityCheck(childAcl, AclAuthorizationStrategy.CHANGE_OWNERSHIP);
}
catch (NotFoundException expected) {
fail("It shouldn't have thrown NotFoundException");
@ -274,39 +217,34 @@ public class AclImplementationSecurityCheckTests {
@Test
public void testSecurityCheckPrincipalOwner() {
Authentication auth = new TestingAuthenticationToken("user", "password",
"ROLE_ONE");
Authentication auth = new TestingAuthenticationToken("user", "password", "ROLE_ONE");
auth.setAuthenticated(true);
SecurityContextHolder.getContext().setAuthentication(auth);
ObjectIdentity identity = new ObjectIdentityImpl(TARGET_CLASS, 100);
AclAuthorizationStrategy aclAuthorizationStrategy = new AclAuthorizationStrategyImpl(
new SimpleGrantedAuthority("ROLE_OWNERSHIP"), new SimpleGrantedAuthority(
"ROLE_AUDITING"), new SimpleGrantedAuthority("ROLE_GENERAL"));
new SimpleGrantedAuthority("ROLE_OWNERSHIP"), new SimpleGrantedAuthority("ROLE_AUDITING"),
new SimpleGrantedAuthority("ROLE_GENERAL"));
Acl acl = new AclImpl(identity, 1, aclAuthorizationStrategy,
new DefaultPermissionGrantingStrategy(new ConsoleAuditLogger()), null,
null, false, new PrincipalSid(auth));
new DefaultPermissionGrantingStrategy(new ConsoleAuditLogger()), null, null, false,
new PrincipalSid(auth));
try {
aclAuthorizationStrategy.securityCheck(acl,
AclAuthorizationStrategy.CHANGE_GENERAL);
aclAuthorizationStrategy.securityCheck(acl, AclAuthorizationStrategy.CHANGE_GENERAL);
}
catch (AccessDeniedException notExpected) {
fail("It shouldn't have thrown AccessDeniedException");
}
try {
aclAuthorizationStrategy.securityCheck(acl,
AclAuthorizationStrategy.CHANGE_AUDITING);
aclAuthorizationStrategy.securityCheck(acl, AclAuthorizationStrategy.CHANGE_AUDITING);
fail("It shouldn't have thrown AccessDeniedException");
}
catch (NotFoundException expected) {
}
try {
aclAuthorizationStrategy.securityCheck(acl,
AclAuthorizationStrategy.CHANGE_OWNERSHIP);
aclAuthorizationStrategy.securityCheck(acl, AclAuthorizationStrategy.CHANGE_OWNERSHIP);
}
catch (AccessDeniedException notExpected) {
fail("It shouldn't have thrown AccessDeniedException");
}
}
}

66
acl/src/test/java/org/springframework/security/acls/domain/AuditLoggerTests.java
View File

@ -13,10 +13,8 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.domain;
import static org.assertj.core.api.Assertions.*;
import static org.mockito.Mockito.*;
package org.springframework.security.acls.domain;
import java.io.ByteArrayOutputStream;
import java.io.PrintStream;
@ -24,72 +22,76 @@ import java.io.PrintStream;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.springframework.security.acls.model.AccessControlEntry;
import org.springframework.security.acls.model.AuditableAccessControlEntry;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.BDDMockito.given;
import static org.mockito.Mockito.mock;
/**
* Test class for {@link ConsoleAuditLogger}.
*
* @author Andrei Stefan
*/
public class AuditLoggerTests {
// ~ Instance fields
// ================================================================================================
private PrintStream console;
private ByteArrayOutputStream bytes = new ByteArrayOutputStream();
private ConsoleAuditLogger logger;
private AuditableAccessControlEntry ace;
// ~ Methods
// ========================================================================================================
private PrintStream console;
private ByteArrayOutputStream bytes = new ByteArrayOutputStream();
private ConsoleAuditLogger logger;
private AuditableAccessControlEntry ace;
@Before
public void setUp() {
logger = new ConsoleAuditLogger();
ace = mock(AuditableAccessControlEntry.class);
console = System.out;
System.setOut(new PrintStream(bytes));
this.logger = new ConsoleAuditLogger();
this.ace = mock(AuditableAccessControlEntry.class);
this.console = System.out;
System.setOut(new PrintStream(this.bytes));
}
@After
public void tearDown() {
System.setOut(console);
bytes.reset();
System.setOut(this.console);
this.bytes.reset();
}
@Test
public void nonAuditableAceIsIgnored() {
AccessControlEntry ace = mock(AccessControlEntry.class);
logger.logIfNeeded(true, ace);
assertThat(bytes.size()).isZero();
this.logger.logIfNeeded(true, ace);
assertThat(this.bytes.size()).isZero();
}
@Test
public void successIsNotLoggedIfAceDoesntRequireSuccessAudit() {
when(ace.isAuditSuccess()).thenReturn(false);
logger.logIfNeeded(true, ace);
assertThat(bytes.size()).isZero();
given(this.ace.isAuditSuccess()).willReturn(false);
this.logger.logIfNeeded(true, this.ace);
assertThat(this.bytes.size()).isZero();
}
@Test
public void successIsLoggedIfAceRequiresSuccessAudit() {
when(ace.isAuditSuccess()).thenReturn(true);
logger.logIfNeeded(true, ace);
assertThat(bytes.toString()).startsWith("GRANTED due to ACE");
given(this.ace.isAuditSuccess()).willReturn(true);
this.logger.logIfNeeded(true, this.ace);
assertThat(this.bytes.toString()).startsWith("GRANTED due to ACE");
}
@Test
public void failureIsntLoggedIfAceDoesntRequireFailureAudit() {
when(ace.isAuditFailure()).thenReturn(false);
logger.logIfNeeded(false, ace);
assertThat(bytes.size()).isZero();
given(this.ace.isAuditFailure()).willReturn(false);
this.logger.logIfNeeded(false, this.ace);
assertThat(this.bytes.size()).isZero();
}
@Test
public void failureIsLoggedIfAceRequiresFailureAudit() {
when(ace.isAuditFailure()).thenReturn(true);
logger.logIfNeeded(false, ace);
assertThat(bytes.toString()).startsWith("DENIED due to ACE");
given(this.ace.isAuditFailure()).willReturn(true);
this.logger.logIfNeeded(false, this.ace);
assertThat(this.bytes.toString()).startsWith("DENIED due to ACE");
}
}

38
acl/src/test/java/org/springframework/security/acls/domain/ObjectIdentityImplTests.java
View File

@ -13,15 +13,16 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.domain;
import static org.assertj.core.api.Assertions.*;
import org.junit.Test;
import org.springframework.security.acls.domain.IdentityUnavailableException;
import org.springframework.security.acls.domain.ObjectIdentityImpl;
import org.springframework.security.acls.model.ObjectIdentity;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.fail;
/**
* Tests for {@link ObjectIdentityImpl}.
*
@ -32,9 +33,6 @@ public class ObjectIdentityImplTests {
private static final String DOMAIN_CLASS = "org.springframework.security.acls.domain.ObjectIdentityImplTests$MockIdDomainObject";
// ~ Methods
// ========================================================================================================
@Test
public void constructorsRespectRequiredFields() {
// Check one-argument constructor required field
@ -44,7 +42,6 @@ public class ObjectIdentityImplTests {
}
catch (IllegalArgumentException expected) {
}
// Check String-Serializable constructor required field
try {
new ObjectIdentityImpl("", 1L);
@ -52,7 +49,6 @@ public class ObjectIdentityImplTests {
}
catch (IllegalArgumentException expected) {
}
// Check Serializable parameter is not null
try {
new ObjectIdentityImpl(DOMAIN_CLASS, null);
@ -60,7 +56,6 @@ public class ObjectIdentityImplTests {
}
catch (IllegalArgumentException expected) {
}
// The correct way of using String-Serializable constructor
try {
new ObjectIdentityImpl(DOMAIN_CLASS, 1L);
@ -68,7 +63,6 @@ public class ObjectIdentityImplTests {
catch (IllegalArgumentException notExpected) {
fail("It shouldn't have thrown IllegalArgumentException");
}
// Check the Class-Serializable constructor
try {
new ObjectIdentityImpl(MockIdDomainObject.class, null);
@ -93,9 +87,7 @@ public class ObjectIdentityImplTests {
fail("It should have thrown IdentityUnavailableException");
}
catch (IdentityUnavailableException expected) {
}
// getId() should return a non-null value
MockIdDomainObject mockId = new MockIdDomainObject();
try {
@ -103,9 +95,7 @@ public class ObjectIdentityImplTests {
fail("It should have thrown IllegalArgumentException");
}
catch (IllegalArgumentException expected) {
}
// getId() should return a Serializable object
mockId.setId(new MockIdDomainObject());
try {
@ -114,7 +104,6 @@ public class ObjectIdentityImplTests {
}
catch (IllegalArgumentException expected) {
}
// getId() should return a Serializable object
mockId.setId(100L);
try {
@ -134,15 +123,13 @@ public class ObjectIdentityImplTests {
ObjectIdentity obj = new ObjectIdentityImpl(DOMAIN_CLASS, 1L);
MockIdDomainObject mockObj = new MockIdDomainObject();
mockObj.setId(1L);
String string = "SOME_STRING";
assertThat(string).isNotSameAs(obj);
assertThat(obj).isNotNull();
assertThat(obj).isNotEqualTo("DIFFERENT_OBJECT_TYPE");
assertThat(obj).isNotEqualTo(new ObjectIdentityImpl(DOMAIN_CLASS, 2L));
assertThat(obj).isNotEqualTo(new ObjectIdentityImpl(
"org.springframework.security.acls.domain.ObjectIdentityImplTests$MockOtherIdDomainObject",
1L));
"org.springframework.security.acls.domain.ObjectIdentityImplTests$MockOtherIdDomainObject", 1L));
assertThat(new ObjectIdentityImpl(DOMAIN_CLASS, 1L)).isEqualTo(obj);
assertThat(new ObjectIdentityImpl(mockObj)).isEqualTo(obj);
}
@ -158,7 +145,6 @@ public class ObjectIdentityImplTests {
public void longAndIntegerIdsWithSameValueAreEqualAndHaveSameHashcode() {
ObjectIdentity obj = new ObjectIdentityImpl(Object.class, 5L);
ObjectIdentity obj2 = new ObjectIdentityImpl(Object.class, 5);
assertThat(obj2).isEqualTo(obj);
assertThat(obj2.hashCode()).isEqualTo(obj.hashCode());
}
@ -178,30 +164,32 @@ public class ObjectIdentityImplTests {
assertThat(obj).isNotEqualTo(obj2);
}
// ~ Inner Classes
// ==================================================================================================
private class MockIdDomainObject {
private Object id;
public Object getId() {
return id;
return this.id;
}
public void setId(Object id) {
this.id = id;
}
}
private class MockOtherIdDomainObject {
private Object id;
public Object getId() {
return id;
return this.id;
}
public void setId(Object id) {
this.id = id;
}
}
}

16
acl/src/test/java/org/springframework/security/acls/domain/ObjectIdentityRetrievalStrategyImplTests.java
View File

@ -13,14 +13,16 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.domain;
import static org.assertj.core.api.Assertions.assertThat;
import org.junit.Test;
import org.springframework.security.acls.model.ObjectIdentity;
import org.springframework.security.acls.model.ObjectIdentityRetrievalStrategy;
import static org.assertj.core.api.Assertions.assertThat;
/**
* Tests for {@link ObjectIdentityRetrievalStrategyImpl}
*
@ -28,33 +30,29 @@ import org.springframework.security.acls.model.ObjectIdentityRetrievalStrategy;
*/
public class ObjectIdentityRetrievalStrategyImplTests {
// ~ Methods
// ========================================================================================================
@Test
public void testObjectIdentityCreation() {
MockIdDomainObject domain = new MockIdDomainObject();
domain.setId(1);
ObjectIdentityRetrievalStrategy retStrategy = new ObjectIdentityRetrievalStrategyImpl();
ObjectIdentity identity = retStrategy.getObjectIdentity(domain);
assertThat(identity).isNotNull();
assertThat(new ObjectIdentityImpl(domain)).isEqualTo(identity);
}
// ~ Inner Classes
// ==================================================================================================
@SuppressWarnings("unused")
private class MockIdDomainObject {
private Object id;
public Object getId() {
return id;
return this.id;
}
public void setId(Object id) {
this.id = id;
}
}
}

72
acl/src/test/java/org/springframework/security/acls/domain/PermissionTests.java
View File

@ -13,14 +13,16 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.domain;
import static org.assertj.core.api.Assertions.*;
package org.springframework.security.acls.domain;
import org.junit.Before;
import org.junit.Test;
import org.springframework.security.acls.model.Permission;
import static org.assertj.core.api.Assertions.assertThat;
/**
* Tests classes associated with Permission.
*
@ -32,12 +34,12 @@ public class PermissionTests {
@Before
public void createPermissionfactory() {
permissionFactory = new DefaultPermissionFactory();
this.permissionFactory = new DefaultPermissionFactory();
}
@Test
public void basePermissionTest() {
Permission p = permissionFactory.buildFromName("WRITE");
Permission p = this.permissionFactory.buildFromName("WRITE");
assertThat(p).isNotNull();
}
@ -45,53 +47,37 @@ public class PermissionTests {
public void expectedIntegerValues() {
assertThat(BasePermission.READ.getMask()).isEqualTo(1);
assertThat(BasePermission.ADMINISTRATION.getMask()).isEqualTo(16);
assertThat(
new CumulativePermission().set(BasePermission.READ)
.set(BasePermission.WRITE).set(BasePermission.CREATE).getMask())
.isEqualTo(7);
assertThat(
new CumulativePermission().set(BasePermission.READ)
.set(BasePermission.ADMINISTRATION).getMask())
.isEqualTo(17);
assertThat(new CumulativePermission().set(BasePermission.READ).set(BasePermission.WRITE)
.set(BasePermission.CREATE).getMask()).isEqualTo(7);
assertThat(new CumulativePermission().set(BasePermission.READ).set(BasePermission.ADMINISTRATION).getMask())
.isEqualTo(17);
}
@Test
public void fromInteger() {
Permission permission = permissionFactory.buildFromMask(7);
permission = permissionFactory.buildFromMask(4);
Permission permission = this.permissionFactory.buildFromMask(7);
permission = this.permissionFactory.buildFromMask(4);
}
@Test
public void stringConversion() {
permissionFactory.registerPublicPermissions(SpecialPermission.class);
assertThat(BasePermission.READ.toString())
.isEqualTo("BasePermission[...............................R=1]");
this.permissionFactory.registerPublicPermissions(SpecialPermission.class);
assertThat(BasePermission.READ.toString()).isEqualTo("BasePermission[...............................R=1]");
assertThat(BasePermission.ADMINISTRATION.toString())
.isEqualTo("BasePermission[...........................A....=16]");
assertThat(new CumulativePermission().set(BasePermission.READ).toString())
.isEqualTo("CumulativePermission[...............................R=1]");
assertThat(
BasePermission.ADMINISTRATION.toString())
.isEqualTo("BasePermission[...........................A....=16]");
assertThat(
new CumulativePermission().set(BasePermission.READ).toString())
.isEqualTo("CumulativePermission[...............................R=1]");
assertThat(new CumulativePermission().set(SpecialPermission.ENTER)
.set(BasePermission.ADMINISTRATION).toString())
.isEqualTo("CumulativePermission[..........................EA....=48]");
assertThat(new CumulativePermission().set(BasePermission.ADMINISTRATION)
.set(BasePermission.READ).toString())
.isEqualTo("CumulativePermission[...........................A...R=17]");
assertThat(new CumulativePermission().set(BasePermission.ADMINISTRATION)
.set(BasePermission.READ).clear(BasePermission.ADMINISTRATION)
.toString())
.isEqualTo("CumulativePermission[...............................R=1]");
assertThat(new CumulativePermission().set(BasePermission.ADMINISTRATION)
.set(BasePermission.READ).clear(BasePermission.ADMINISTRATION)
.clear(BasePermission.READ).toString())
.isEqualTo("CumulativePermission[................................=0]");
new CumulativePermission().set(SpecialPermission.ENTER).set(BasePermission.ADMINISTRATION).toString())
.isEqualTo("CumulativePermission[..........................EA....=48]");
assertThat(new CumulativePermission().set(BasePermission.ADMINISTRATION).set(BasePermission.READ).toString())
.isEqualTo("CumulativePermission[...........................A...R=17]");
assertThat(new CumulativePermission().set(BasePermission.ADMINISTRATION).set(BasePermission.READ)
.clear(BasePermission.ADMINISTRATION).toString())
.isEqualTo("CumulativePermission[...............................R=1]");
assertThat(new CumulativePermission().set(BasePermission.ADMINISTRATION).set(BasePermission.READ)
.clear(BasePermission.ADMINISTRATION).clear(BasePermission.READ).toString())
.isEqualTo("CumulativePermission[................................=0]");
}
}

4
acl/src/test/java/org/springframework/security/acls/domain/SpecialPermission.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.domain;
import org.springframework.security.acls.model.Permission;
@ -23,10 +24,13 @@ import org.springframework.security.acls.model.Permission;
* @author Ben Alex
*/
public class SpecialPermission extends BasePermission {
public static final Permission ENTER = new SpecialPermission(1 << 5, 'E'); // 32
public static final Permission LEAVE = new SpecialPermission(1 << 6, 'L');
protected SpecialPermission(int mask, char code) {
super(mask, code);
}
}

145
acl/src/test/java/org/springframework/security/acls/jdbc/AbstractBasicLookupStrategyTests.java
View File

@ -13,19 +13,38 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.jdbc;
import static org.assertj.core.api.Assertions.*;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import javax.sql.DataSource;
import net.sf.ehcache.Cache;
import net.sf.ehcache.CacheManager;
import net.sf.ehcache.Ehcache;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.junit.*;
import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.security.acls.TargetObject;
import org.springframework.security.acls.TargetObjectWithUUID;
import org.springframework.security.acls.domain.*;
import org.springframework.security.acls.domain.AclAuthorizationStrategy;
import org.springframework.security.acls.domain.AclAuthorizationStrategyImpl;
import org.springframework.security.acls.domain.BasePermission;
import org.springframework.security.acls.domain.ConsoleAuditLogger;
import org.springframework.security.acls.domain.DefaultPermissionFactory;
import org.springframework.security.acls.domain.DefaultPermissionGrantingStrategy;
import org.springframework.security.acls.domain.EhCacheBasedAclCache;
import org.springframework.security.acls.domain.GrantedAuthoritySid;
import org.springframework.security.acls.domain.ObjectIdentityImpl;
import org.springframework.security.acls.domain.PrincipalSid;
import org.springframework.security.acls.model.Acl;
import org.springframework.security.acls.model.AuditableAccessControlEntry;
import org.springframework.security.acls.model.MutableAcl;
@ -35,9 +54,8 @@ import org.springframework.security.acls.model.Permission;
import org.springframework.security.acls.model.Sid;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import java.util.*;
import javax.sql.DataSource;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.fail;
/**
* Tests {@link BasicLookupStrategy}
@ -47,19 +65,18 @@ import javax.sql.DataSource;
public abstract class AbstractBasicLookupStrategyTests {
protected static final Sid BEN_SID = new PrincipalSid("ben");
protected static final String TARGET_CLASS = TargetObject.class.getName();
protected static final String TARGET_CLASS_WITH_UUID = TargetObjectWithUUID.class.getName();
protected static final UUID OBJECT_IDENTITY_UUID = UUID.randomUUID();
protected static final Long OBJECT_IDENTITY_LONG_AS_UUID = 110L;
// ~ Instance fields
// ================================================================================================
private BasicLookupStrategy strategy;
private static CacheManager cacheManager;
// ~ Methods
// ========================================================================================================
private static CacheManager cacheManager;
public abstract JdbcTemplate getJdbcTemplate();
@ -80,44 +97,41 @@ public abstract class AbstractBasicLookupStrategyTests {
@Before
public void populateDatabase() {
String query = "INSERT INTO acl_sid(ID,PRINCIPAL,SID) VALUES (1,1,'ben');"
+ "INSERT INTO acl_class(ID,CLASS) VALUES (2,'" + TARGET_CLASS + "');"
+ "INSERT INTO acl_object_identity(ID,OBJECT_ID_CLASS,OBJECT_ID_IDENTITY,PARENT_OBJECT,OWNER_SID,ENTRIES_INHERITING) VALUES (1,2,100,null,1,1);"
+ "INSERT INTO acl_object_identity(ID,OBJECT_ID_CLASS,OBJECT_ID_IDENTITY,PARENT_OBJECT,OWNER_SID,ENTRIES_INHERITING) VALUES (2,2,101,1,1,1);"
+ "INSERT INTO acl_object_identity(ID,OBJECT_ID_CLASS,OBJECT_ID_IDENTITY,PARENT_OBJECT,OWNER_SID,ENTRIES_INHERITING) VALUES (3,2,102,2,1,1);"
+ "INSERT INTO acl_entry(ID,ACL_OBJECT_IDENTITY,ACE_ORDER,SID,MASK,GRANTING,AUDIT_SUCCESS,AUDIT_FAILURE) VALUES (1,1,0,1,1,1,0,0);"
+ "INSERT INTO acl_entry(ID,ACL_OBJECT_IDENTITY,ACE_ORDER,SID,MASK,GRANTING,AUDIT_SUCCESS,AUDIT_FAILURE) VALUES (2,1,1,1,2,0,0,0);"
+ "INSERT INTO acl_entry(ID,ACL_OBJECT_IDENTITY,ACE_ORDER,SID,MASK,GRANTING,AUDIT_SUCCESS,AUDIT_FAILURE) VALUES (3,2,0,1,8,1,0,0);"
+ "INSERT INTO acl_entry(ID,ACL_OBJECT_IDENTITY,ACE_ORDER,SID,MASK,GRANTING,AUDIT_SUCCESS,AUDIT_FAILURE) VALUES (4,3,0,1,8,0,0,0);";
+ "INSERT INTO acl_class(ID,CLASS) VALUES (2,'" + TARGET_CLASS + "');"
+ "INSERT INTO acl_object_identity(ID,OBJECT_ID_CLASS,OBJECT_ID_IDENTITY,PARENT_OBJECT,OWNER_SID,ENTRIES_INHERITING) VALUES (1,2,100,null,1,1);"
+ "INSERT INTO acl_object_identity(ID,OBJECT_ID_CLASS,OBJECT_ID_IDENTITY,PARENT_OBJECT,OWNER_SID,ENTRIES_INHERITING) VALUES (2,2,101,1,1,1);"
+ "INSERT INTO acl_object_identity(ID,OBJECT_ID_CLASS,OBJECT_ID_IDENTITY,PARENT_OBJECT,OWNER_SID,ENTRIES_INHERITING) VALUES (3,2,102,2,1,1);"
+ "INSERT INTO acl_entry(ID,ACL_OBJECT_IDENTITY,ACE_ORDER,SID,MASK,GRANTING,AUDIT_SUCCESS,AUDIT_FAILURE) VALUES (1,1,0,1,1,1,0,0);"
+ "INSERT INTO acl_entry(ID,ACL_OBJECT_IDENTITY,ACE_ORDER,SID,MASK,GRANTING,AUDIT_SUCCESS,AUDIT_FAILURE) VALUES (2,1,1,1,2,0,0,0);"
+ "INSERT INTO acl_entry(ID,ACL_OBJECT_IDENTITY,ACE_ORDER,SID,MASK,GRANTING,AUDIT_SUCCESS,AUDIT_FAILURE) VALUES (3,2,0,1,8,1,0,0);"
+ "INSERT INTO acl_entry(ID,ACL_OBJECT_IDENTITY,ACE_ORDER,SID,MASK,GRANTING,AUDIT_SUCCESS,AUDIT_FAILURE) VALUES (4,3,0,1,8,0,0,0);";
getJdbcTemplate().execute(query);
}
@Before
public void initializeBeans() {
strategy = new BasicLookupStrategy(getDataSource(), aclCache(), aclAuthStrategy(),
new DefaultPermissionGrantingStrategy(new ConsoleAuditLogger()));
strategy.setPermissionFactory(new DefaultPermissionFactory());
this.strategy = new BasicLookupStrategy(getDataSource(), aclCache(), aclAuthStrategy(),
new DefaultPermissionGrantingStrategy(new ConsoleAuditLogger()));
this.strategy.setPermissionFactory(new DefaultPermissionFactory());
}
protected AclAuthorizationStrategy aclAuthStrategy() {
return new AclAuthorizationStrategyImpl(
new SimpleGrantedAuthority("ROLE_ADMINISTRATOR"));
return new AclAuthorizationStrategyImpl(new SimpleGrantedAuthority("ROLE_ADMINISTRATOR"));
}
protected EhCacheBasedAclCache aclCache() {
return new EhCacheBasedAclCache(getCache(),
new DefaultPermissionGrantingStrategy(new ConsoleAuditLogger()),
new AclAuthorizationStrategyImpl(new SimpleGrantedAuthority("ROLE_USER")));
return new EhCacheBasedAclCache(getCache(), new DefaultPermissionGrantingStrategy(new ConsoleAuditLogger()),
new AclAuthorizationStrategyImpl(new SimpleGrantedAuthority("ROLE_USER")));
}
@After
public void emptyDatabase() {
String query = "DELETE FROM acl_entry;" + "DELETE FROM acl_object_identity WHERE ID = 9;"
+ "DELETE FROM acl_object_identity WHERE ID = 8;" + "DELETE FROM acl_object_identity WHERE ID = 7;"
+ "DELETE FROM acl_object_identity WHERE ID = 6;" + "DELETE FROM acl_object_identity WHERE ID = 5;"
+ "DELETE FROM acl_object_identity WHERE ID = 4;" + "DELETE FROM acl_object_identity WHERE ID = 3;"
+ "DELETE FROM acl_object_identity WHERE ID = 2;" + "DELETE FROM acl_object_identity WHERE ID = 1;"
+ "DELETE FROM acl_class;" + "DELETE FROM acl_sid;";
+ "DELETE FROM acl_object_identity WHERE ID = 8;" + "DELETE FROM acl_object_identity WHERE ID = 7;"
+ "DELETE FROM acl_object_identity WHERE ID = 6;" + "DELETE FROM acl_object_identity WHERE ID = 5;"
+ "DELETE FROM acl_object_identity WHERE ID = 4;" + "DELETE FROM acl_object_identity WHERE ID = 3;"
+ "DELETE FROM acl_object_identity WHERE ID = 2;" + "DELETE FROM acl_object_identity WHERE ID = 1;"
+ "DELETE FROM acl_class;" + "DELETE FROM acl_sid;";
getJdbcTemplate().execute(query);
}
@ -133,9 +147,8 @@ public abstract class AbstractBasicLookupStrategyTests {
ObjectIdentity middleParentOid = new ObjectIdentityImpl(TARGET_CLASS, 101L);
// Deliberately use an integer for the child, to reproduce bug report in SEC-819
ObjectIdentity childOid = new ObjectIdentityImpl(TARGET_CLASS, 102);
Map<ObjectIdentity, Acl> map = this.strategy
.readAclsById(Arrays.asList(topParentOid, middleParentOid, childOid), null);
.readAclsById(Arrays.asList(topParentOid, middleParentOid, childOid), null);
checkEntries(topParentOid, middleParentOid, childOid, map);
}
@ -144,15 +157,12 @@ public abstract class AbstractBasicLookupStrategyTests {
ObjectIdentity topParentOid = new ObjectIdentityImpl(TARGET_CLASS, 100);
ObjectIdentity middleParentOid = new ObjectIdentityImpl(TARGET_CLASS, 101L);
ObjectIdentity childOid = new ObjectIdentityImpl(TARGET_CLASS, 102L);
// Objects were put in cache
strategy.readAclsById(Arrays.asList(topParentOid, middleParentOid, childOid), null);
this.strategy.readAclsById(Arrays.asList(topParentOid, middleParentOid, childOid), null);
// Let's empty the database to force acls retrieval from cache
emptyDatabase();
Map<ObjectIdentity, Acl> map = this.strategy
.readAclsById(Arrays.asList(topParentOid, middleParentOid, childOid), null);
.readAclsById(Arrays.asList(topParentOid, middleParentOid, childOid), null);
checkEntries(topParentOid, middleParentOid, childOid, map);
}
@ -161,43 +171,36 @@ public abstract class AbstractBasicLookupStrategyTests {
ObjectIdentity topParentOid = new ObjectIdentityImpl(TARGET_CLASS, 100L);
ObjectIdentity middleParentOid = new ObjectIdentityImpl(TARGET_CLASS, 101);
ObjectIdentity childOid = new ObjectIdentityImpl(TARGET_CLASS, 102L);
// Set a batch size to allow multiple database queries in order to retrieve all
// acls
this.strategy.setBatchSize(1);
Map<ObjectIdentity, Acl> map = this.strategy
.readAclsById(Arrays.asList(topParentOid, middleParentOid, childOid), null);
.readAclsById(Arrays.asList(topParentOid, middleParentOid, childOid), null);
checkEntries(topParentOid, middleParentOid, childOid, map);
}
private void checkEntries(ObjectIdentity topParentOid, ObjectIdentity middleParentOid, ObjectIdentity childOid,
Map<ObjectIdentity, Acl> map) {
Map<ObjectIdentity, Acl> map) {
assertThat(map).hasSize(3);
MutableAcl topParent = (MutableAcl) map.get(topParentOid);
MutableAcl middleParent = (MutableAcl) map.get(middleParentOid);
MutableAcl child = (MutableAcl) map.get(childOid);
// Check the retrieved versions has IDs
assertThat(topParent.getId()).isNotNull();
assertThat(middleParent.getId()).isNotNull();
assertThat(child.getId()).isNotNull();
// Check their parents were correctly retrieved
assertThat(topParent.getParentAcl()).isNull();
assertThat(middleParent.getParentAcl().getObjectIdentity()).isEqualTo(topParentOid);
assertThat(child.getParentAcl().getObjectIdentity()).isEqualTo(middleParentOid);
// Check their ACEs were correctly retrieved
assertThat(topParent.getEntries()).hasSize(2);
assertThat(middleParent.getEntries()).hasSize(1);
assertThat(child.getEntries()).hasSize(1);
// Check object identities were correctly retrieved
assertThat(topParent.getObjectIdentity()).isEqualTo(topParentOid);
assertThat(middleParent.getObjectIdentity()).isEqualTo(middleParentOid);
assertThat(child.getObjectIdentity()).isEqualTo(childOid);
// Check each entry
assertThat(topParent.isEntriesInheriting()).isTrue();
assertThat(Long.valueOf(1)).isEqualTo(topParent.getId());
@ -208,14 +211,12 @@ public abstract class AbstractBasicLookupStrategyTests {
assertThat(((AuditableAccessControlEntry) topParent.getEntries().get(0)).isAuditFailure()).isFalse();
assertThat(((AuditableAccessControlEntry) topParent.getEntries().get(0)).isAuditSuccess()).isFalse();
assertThat((topParent.getEntries().get(0)).isGranting()).isTrue();
assertThat(Long.valueOf(2)).isEqualTo(topParent.getEntries().get(1).getId());
assertThat(topParent.getEntries().get(1).getPermission()).isEqualTo(BasePermission.WRITE);
assertThat(topParent.getEntries().get(1).getSid()).isEqualTo(new PrincipalSid("ben"));
assertThat(((AuditableAccessControlEntry) topParent.getEntries().get(1)).isAuditFailure()).isFalse();
assertThat(((AuditableAccessControlEntry) topParent.getEntries().get(1)).isAuditSuccess()).isFalse();
assertThat(topParent.getEntries().get(1).isGranting()).isFalse();
assertThat(middleParent.isEntriesInheriting()).isTrue();
assertThat(Long.valueOf(2)).isEqualTo(middleParent.getId());
assertThat(new PrincipalSid("ben")).isEqualTo(middleParent.getOwner());
@ -225,7 +226,6 @@ public abstract class AbstractBasicLookupStrategyTests {
assertThat(((AuditableAccessControlEntry) middleParent.getEntries().get(0)).isAuditFailure()).isFalse();
assertThat(((AuditableAccessControlEntry) middleParent.getEntries().get(0)).isAuditSuccess()).isFalse();
assertThat(middleParent.getEntries().get(0).isGranting()).isTrue();
assertThat(child.isEntriesInheriting()).isTrue();
assertThat(Long.valueOf(3)).isEqualTo(child.getId());
assertThat(new PrincipalSid("ben")).isEqualTo(child.getOwner());
@ -241,15 +241,12 @@ public abstract class AbstractBasicLookupStrategyTests {
public void testAllParentsAreRetrievedWhenChildIsLoaded() {
String query = "INSERT INTO acl_object_identity(ID,OBJECT_ID_CLASS,OBJECT_ID_IDENTITY,PARENT_OBJECT,OWNER_SID,ENTRIES_INHERITING) VALUES (6,2,103,1,1,1);";
getJdbcTemplate().execute(query);
ObjectIdentity topParentOid = new ObjectIdentityImpl(TARGET_CLASS, 100L);
ObjectIdentity middleParentOid = new ObjectIdentityImpl(TARGET_CLASS, 101L);
ObjectIdentity childOid = new ObjectIdentityImpl(TARGET_CLASS, 102L);
ObjectIdentity middleParent2Oid = new ObjectIdentityImpl(TARGET_CLASS, 103L);
// Retrieve the child
Map<ObjectIdentity, Acl> map = this.strategy.readAclsById(Arrays.asList(childOid), null);
// Check that the child and all its parents were retrieved
assertThat(map.get(childOid)).isNotNull();
assertThat(map.get(childOid).getObjectIdentity()).isEqualTo(childOid);
@ -257,7 +254,6 @@ public abstract class AbstractBasicLookupStrategyTests {
assertThat(map.get(middleParentOid).getObjectIdentity()).isEqualTo(middleParentOid);
assertThat(map.get(topParentOid)).isNotNull();
assertThat(map.get(topParentOid).getObjectIdentity()).isEqualTo(topParentOid);
// The second parent shouldn't have been retrieved
assertThat(map.get(middleParent2Oid)).isNull();
}
@ -268,31 +264,26 @@ public abstract class AbstractBasicLookupStrategyTests {
@Test
public void testReadAllObjectIdentitiesWhenLastElementIsAlreadyCached() {
String query = "INSERT INTO acl_object_identity(ID,OBJECT_ID_CLASS,OBJECT_ID_IDENTITY,PARENT_OBJECT,OWNER_SID,ENTRIES_INHERITING) VALUES (6,2,105,null,1,1);"
+ "INSERT INTO acl_object_identity(ID,OBJECT_ID_CLASS,OBJECT_ID_IDENTITY,PARENT_OBJECT,OWNER_SID,ENTRIES_INHERITING) VALUES (7,2,106,6,1,1);"
+ "INSERT INTO acl_object_identity(ID,OBJECT_ID_CLASS,OBJECT_ID_IDENTITY,PARENT_OBJECT,OWNER_SID,ENTRIES_INHERITING) VALUES (8,2,107,6,1,1);"
+ "INSERT INTO acl_object_identity(ID,OBJECT_ID_CLASS,OBJECT_ID_IDENTITY,PARENT_OBJECT,OWNER_SID,ENTRIES_INHERITING) VALUES (9,2,108,7,1,1);"
+ "INSERT INTO acl_entry(ID,ACL_OBJECT_IDENTITY,ACE_ORDER,SID,MASK,GRANTING,AUDIT_SUCCESS,AUDIT_FAILURE) VALUES (7,6,0,1,1,1,0,0)";
+ "INSERT INTO acl_object_identity(ID,OBJECT_ID_CLASS,OBJECT_ID_IDENTITY,PARENT_OBJECT,OWNER_SID,ENTRIES_INHERITING) VALUES (7,2,106,6,1,1);"
+ "INSERT INTO acl_object_identity(ID,OBJECT_ID_CLASS,OBJECT_ID_IDENTITY,PARENT_OBJECT,OWNER_SID,ENTRIES_INHERITING) VALUES (8,2,107,6,1,1);"
+ "INSERT INTO acl_object_identity(ID,OBJECT_ID_CLASS,OBJECT_ID_IDENTITY,PARENT_OBJECT,OWNER_SID,ENTRIES_INHERITING) VALUES (9,2,108,7,1,1);"
+ "INSERT INTO acl_entry(ID,ACL_OBJECT_IDENTITY,ACE_ORDER,SID,MASK,GRANTING,AUDIT_SUCCESS,AUDIT_FAILURE) VALUES (7,6,0,1,1,1,0,0)";
getJdbcTemplate().execute(query);
ObjectIdentity grandParentOid = new ObjectIdentityImpl(TARGET_CLASS, 104L);
ObjectIdentity parent1Oid = new ObjectIdentityImpl(TARGET_CLASS, 105L);
ObjectIdentity parent2Oid = new ObjectIdentityImpl(TARGET_CLASS, 106);
ObjectIdentity childOid = new ObjectIdentityImpl(TARGET_CLASS, 107);
// First lookup only child, thus populating the cache with grandParent,
// parent1
// and child
List<Permission> checkPermission = Arrays.asList(BasePermission.READ);
List<Sid> sids = Arrays.asList(BEN_SID);
List<ObjectIdentity> childOids = Arrays.asList(childOid);
strategy.setBatchSize(6);
Map<ObjectIdentity, Acl> foundAcls = strategy.readAclsById(childOids, sids);
this.strategy.setBatchSize(6);
Map<ObjectIdentity, Acl> foundAcls = this.strategy.readAclsById(childOids, sids);
Acl foundChildAcl = foundAcls.get(childOid);
assertThat(foundChildAcl).isNotNull();
assertThat(foundChildAcl.isGranted(checkPermission, sids, false)).isTrue();
// Search for object identities has to be done in the following order:
// last
// element have to be one which
@ -300,12 +291,11 @@ public abstract class AbstractBasicLookupStrategyTests {
// cache
List<ObjectIdentity> allOids = Arrays.asList(grandParentOid, parent1Oid, parent2Oid, childOid);
try {
foundAcls = strategy.readAclsById(allOids, sids);
} catch (NotFoundException notExpected) {
foundAcls = this.strategy.readAclsById(allOids, sids);
}
catch (NotFoundException notExpected) {
fail("It shouldn't have thrown NotFoundException");
}
Acl foundParent2Acl = foundAcls.get(parent2Oid);
assertThat(foundParent2Acl).isNotNull();
assertThat(foundParent2Acl.isGranted(checkPermission, sids, false)).isTrue();
@ -314,26 +304,21 @@ public abstract class AbstractBasicLookupStrategyTests {
@Test(expected = IllegalArgumentException.class)
public void nullOwnerIsNotSupported() {
String query = "INSERT INTO acl_object_identity(ID,OBJECT_ID_CLASS,OBJECT_ID_IDENTITY,PARENT_OBJECT,OWNER_SID,ENTRIES_INHERITING) VALUES (6,2,104,null,null,1);";
getJdbcTemplate().execute(query);
ObjectIdentity oid = new ObjectIdentityImpl(TARGET_CLASS, 104L);
strategy.readAclsById(Arrays.asList(oid), Arrays.asList(BEN_SID));
this.strategy.readAclsById(Arrays.asList(oid), Arrays.asList(BEN_SID));
}
@Test
public void testCreatePrincipalSid() {
Sid result = strategy.createSid(true, "sid");
Sid result = this.strategy.createSid(true, "sid");
assertThat(result.getClass()).isEqualTo(PrincipalSid.class);
assertThat(((PrincipalSid) result).getPrincipal()).isEqualTo("sid");
}
@Test
public void testCreateGrantedAuthority() {
Sid result = strategy.createSid(false, "sid");
Sid result = this.strategy.createSid(false, "sid");
assertThat(result.getClass()).isEqualTo(GrantedAuthoritySid.class);
assertThat(((GrantedAuthoritySid) result).getGrantedAuthority()).isEqualTo("sid");
}

107
acl/src/test/java/org/springframework/security/acls/jdbc/AclClassIdUtilsTest.java → acl/src/test/java/org/springframework/security/acls/jdbc/AclClassIdUtilsTests.java
View File

@ -13,38 +13,43 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.jdbc;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.junit.MockitoJUnitRunner;
import org.springframework.core.convert.ConversionService;
import java.io.Serializable;
import java.math.BigInteger;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.UUID;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.junit.MockitoJUnitRunner;
import org.springframework.core.convert.ConversionService;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.BDDMockito.given;
/**
* Tests for {@link AclClassIdUtils}.
*
* @author paulwheeler
*/
@RunWith(MockitoJUnitRunner.class)
public class AclClassIdUtilsTest {
public class AclClassIdUtilsTests {
private static final Long DEFAULT_IDENTIFIER = 999L;
private static final BigInteger BIGINT_IDENTIFIER = new BigInteger("999");
private static final String DEFAULT_IDENTIFIER_AS_STRING = DEFAULT_IDENTIFIER.toString();
@Mock
private ResultSet resultSet;
@Mock
private ConversionService conversionService;
@ -52,124 +57,82 @@ public class AclClassIdUtilsTest {
@Before
public void setUp() {
aclClassIdUtils = new AclClassIdUtils();
this.aclClassIdUtils = new AclClassIdUtils();
}
@Test
public void shouldReturnLongIfIdentifierIsLong() throws SQLException {
// when
Serializable newIdentifier = aclClassIdUtils.identifierFrom(DEFAULT_IDENTIFIER, resultSet);
// then
Serializable newIdentifier = this.aclClassIdUtils.identifierFrom(DEFAULT_IDENTIFIER, this.resultSet);
assertThat(newIdentifier).isEqualTo(DEFAULT_IDENTIFIER);
}
@Test
public void shouldReturnLongIfIdentifierIsBigInteger() throws SQLException {
// when
Serializable newIdentifier = aclClassIdUtils.identifierFrom(BIGINT_IDENTIFIER, resultSet);
// then
Serializable newIdentifier = this.aclClassIdUtils.identifierFrom(BIGINT_IDENTIFIER, this.resultSet);
assertThat(newIdentifier).isEqualTo(DEFAULT_IDENTIFIER);
}
@Test
public void shouldReturnLongIfClassIdTypeIsNull() throws SQLException {
// given
given(resultSet.getString("class_id_type")).willReturn(null);
// when
Serializable newIdentifier = aclClassIdUtils.identifierFrom(DEFAULT_IDENTIFIER_AS_STRING, resultSet);
// then
given(this.resultSet.getString("class_id_type")).willReturn(null);
Serializable newIdentifier = this.aclClassIdUtils.identifierFrom(DEFAULT_IDENTIFIER_AS_STRING, this.resultSet);
assertThat(newIdentifier).isEqualTo(DEFAULT_IDENTIFIER);
}
@Test
public void shouldReturnLongIfNoClassIdTypeColumn() throws SQLException {
// given
given(resultSet.getString("class_id_type")).willThrow(SQLException.class);
// when
Serializable newIdentifier = aclClassIdUtils.identifierFrom(DEFAULT_IDENTIFIER_AS_STRING, resultSet);
// then
given(this.resultSet.getString("class_id_type")).willThrow(SQLException.class);
Serializable newIdentifier = this.aclClassIdUtils.identifierFrom(DEFAULT_IDENTIFIER_AS_STRING, this.resultSet);
assertThat(newIdentifier).isEqualTo(DEFAULT_IDENTIFIER);
}
@Test
public void shouldReturnLongIfTypeClassNotFound() throws SQLException {
// given
given(resultSet.getString("class_id_type")).willReturn("com.example.UnknownType");
// when
Serializable newIdentifier = aclClassIdUtils.identifierFrom(DEFAULT_IDENTIFIER_AS_STRING, resultSet);
// then
given(this.resultSet.getString("class_id_type")).willReturn("com.example.UnknownType");
Serializable newIdentifier = this.aclClassIdUtils.identifierFrom(DEFAULT_IDENTIFIER_AS_STRING, this.resultSet);
assertThat(newIdentifier).isEqualTo(DEFAULT_IDENTIFIER);
}
@Test
public void shouldReturnLongEvenIfCustomConversionServiceDoesNotSupportLongConversion() throws SQLException {
// given
given(resultSet.getString("class_id_type")).willReturn("java.lang.Long");
given(conversionService.canConvert(String.class, Long.class)).willReturn(false);
aclClassIdUtils.setConversionService(conversionService);
// when
Serializable newIdentifier = aclClassIdUtils.identifierFrom(DEFAULT_IDENTIFIER_AS_STRING, resultSet);
// then
given(this.resultSet.getString("class_id_type")).willReturn("java.lang.Long");
given(this.conversionService.canConvert(String.class, Long.class)).willReturn(false);
this.aclClassIdUtils.setConversionService(this.conversionService);
Serializable newIdentifier = this.aclClassIdUtils.identifierFrom(DEFAULT_IDENTIFIER_AS_STRING, this.resultSet);
assertThat(newIdentifier).isEqualTo(DEFAULT_IDENTIFIER);
}
@Test
public void shouldReturnLongWhenLongClassIdType() throws SQLException {
// given
given(resultSet.getString("class_id_type")).willReturn("java.lang.Long");
// when
Serializable newIdentifier = aclClassIdUtils.identifierFrom(DEFAULT_IDENTIFIER_AS_STRING, resultSet);
// then
given(this.resultSet.getString("class_id_type")).willReturn("java.lang.Long");
Serializable newIdentifier = this.aclClassIdUtils.identifierFrom(DEFAULT_IDENTIFIER_AS_STRING, this.resultSet);
assertThat(newIdentifier).isEqualTo(DEFAULT_IDENTIFIER);
}
@Test
public void shouldReturnUUIDWhenUUIDClassIdType() throws SQLException {
// given
UUID identifier = UUID.randomUUID();
given(resultSet.getString("class_id_type")).willReturn("java.util.UUID");
// when
Serializable newIdentifier = aclClassIdUtils.identifierFrom(identifier.toString(), resultSet);
// then
given(this.resultSet.getString("class_id_type")).willReturn("java.util.UUID");
Serializable newIdentifier = this.aclClassIdUtils.identifierFrom(identifier.toString(), this.resultSet);
assertThat(newIdentifier).isEqualTo(identifier);
}
@Test
public void shouldReturnStringWhenStringClassIdType() throws SQLException {
// given
String identifier = "MY_STRING_IDENTIFIER";
given(resultSet.getString("class_id_type")).willReturn("java.lang.String");
// when
Serializable newIdentifier = aclClassIdUtils.identifierFrom(identifier, resultSet);
// then
given(this.resultSet.getString("class_id_type")).willReturn("java.lang.String");
Serializable newIdentifier = this.aclClassIdUtils.identifierFrom(identifier, this.resultSet);
assertThat(newIdentifier).isEqualTo(identifier);
}
@Test(expected = IllegalArgumentException.class)
public void shouldNotAcceptNullConversionServiceInConstruction() {
// when
new AclClassIdUtils(null);
}
@Test(expected = IllegalArgumentException.class)
public void shouldNotAcceptNullConversionServiceInSetter() {
// when
aclClassIdUtils.setConversionService(null);
this.aclClassIdUtils.setConversionService(null);
}
}

5
acl/src/test/java/org/springframework/security/acls/jdbc/BasicLookupStrategyTests.java
View File

@ -13,12 +13,14 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.jdbc;
import javax.sql.DataSource;
import org.junit.AfterClass;
import org.junit.BeforeClass;
import org.springframework.jdbc.core.JdbcTemplate;
/**
@ -28,8 +30,8 @@ import org.springframework.jdbc.core.JdbcTemplate;
* @author Paul Wheeler
*/
public class BasicLookupStrategyTests extends AbstractBasicLookupStrategyTests {
private static final BasicLookupStrategyTestsDbHelper DATABASE_HELPER = new BasicLookupStrategyTestsDbHelper();
private static final BasicLookupStrategyTestsDbHelper DATABASE_HELPER = new BasicLookupStrategyTestsDbHelper();
@BeforeClass
public static void createDatabase() throws Exception {
@ -50,4 +52,5 @@ public class BasicLookupStrategyTests extends AbstractBasicLookupStrategyTests {
public DataSource getDataSource() {
return DATABASE_HELPER.getDataSource();
}
}

26
acl/src/test/java/org/springframework/security/acls/jdbc/BasicLookupStrategyTestsDbHelper.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.jdbc;
import org.springframework.core.io.ClassPathResource;
@ -23,15 +24,20 @@ import org.springframework.util.FileCopyUtils;
/**
* Helper class to initialize the database for BasicLookupStrategyTests.
*
* @author Andrei Stefan
* @author Paul Wheeler
*/
public class BasicLookupStrategyTestsDbHelper {
private static final String ACL_SCHEMA_SQL_FILE = "createAclSchema.sql";
private static final String ACL_SCHEMA_SQL_FILE_WITH_ACL_CLASS_ID = "createAclSchemaWithAclClassIdType.sql";
private SingleConnectionDataSource dataSource;
private JdbcTemplate jdbcTemplate;
private boolean withAclClassIdType;
public BasicLookupStrategyTestsDbHelper() {
@ -45,28 +51,28 @@ public class BasicLookupStrategyTestsDbHelper {
// Use a different connection url so the tests can run in parallel
String connectionUrl;
String sqlClassPathResource;
if (!withAclClassIdType) {
if (!this.withAclClassIdType) {
connectionUrl = "jdbc:hsqldb:mem:lookupstrategytest";
sqlClassPathResource = ACL_SCHEMA_SQL_FILE;
} else {
}
else {
connectionUrl = "jdbc:hsqldb:mem:lookupstrategytestWithAclClassIdType";
sqlClassPathResource = ACL_SCHEMA_SQL_FILE_WITH_ACL_CLASS_ID;
}
dataSource = new SingleConnectionDataSource(connectionUrl, "sa", "", true);
dataSource.setDriverClassName("org.hsqldb.jdbcDriver");
jdbcTemplate = new JdbcTemplate(dataSource);
this.dataSource = new SingleConnectionDataSource(connectionUrl, "sa", "", true);
this.dataSource.setDriverClassName("org.hsqldb.jdbcDriver");
this.jdbcTemplate = new JdbcTemplate(this.dataSource);
Resource resource = new ClassPathResource(sqlClassPathResource);
String sql = new String(FileCopyUtils.copyToByteArray(resource.getInputStream()));
jdbcTemplate.execute(sql);
this.jdbcTemplate.execute(sql);
}
public JdbcTemplate getJdbcTemplate() {
return jdbcTemplate;
return this.jdbcTemplate;
}
public SingleConnectionDataSource getDataSource() {
return dataSource;
return this.dataSource;
}
}

42
acl/src/test/java/org/springframework/security/acls/jdbc/BasicLookupStrategyWithAclClassTypeTests.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.jdbc;
import java.util.Arrays;
@ -20,10 +21,12 @@ import java.util.Map;
import javax.sql.DataSource;
import junit.framework.Assert;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.springframework.core.convert.ConversionFailedException;
import org.springframework.core.convert.support.DefaultConversionService;
import org.springframework.jdbc.core.JdbcTemplate;
@ -34,8 +37,6 @@ import org.springframework.security.acls.domain.ObjectIdentityImpl;
import org.springframework.security.acls.model.Acl;
import org.springframework.security.acls.model.ObjectIdentity;
import junit.framework.Assert;
/**
* Tests {@link BasicLookupStrategy} with Acl Class type id set to UUID.
*
@ -67,34 +68,35 @@ public class BasicLookupStrategyWithAclClassTypeTests extends AbstractBasicLooku
DATABASE_HELPER.getDataSource().destroy();
}
@Override
@Before
public void initializeBeans() {
super.initializeBeans();
uuidEnabledStrategy = new BasicLookupStrategy(getDataSource(), aclCache(), aclAuthStrategy(),
new DefaultPermissionGrantingStrategy(new ConsoleAuditLogger()));
uuidEnabledStrategy.setPermissionFactory(new DefaultPermissionFactory());
uuidEnabledStrategy.setAclClassIdSupported(true);
uuidEnabledStrategy.setConversionService(new DefaultConversionService());
this.uuidEnabledStrategy = new BasicLookupStrategy(getDataSource(), aclCache(), aclAuthStrategy(),
new DefaultPermissionGrantingStrategy(new ConsoleAuditLogger()));
this.uuidEnabledStrategy.setPermissionFactory(new DefaultPermissionFactory());
this.uuidEnabledStrategy.setAclClassIdSupported(true);
this.uuidEnabledStrategy.setConversionService(new DefaultConversionService());
}
@Before
public void populateDatabaseForAclClassTypeTests() {
String query = "INSERT INTO acl_class(ID,CLASS,CLASS_ID_TYPE) VALUES (3,'"
+ TARGET_CLASS_WITH_UUID
+ "', 'java.util.UUID');"
+ "INSERT INTO acl_object_identity(ID,OBJECT_ID_CLASS,OBJECT_ID_IDENTITY,PARENT_OBJECT,OWNER_SID,ENTRIES_INHERITING) VALUES (4,3,'"
+ OBJECT_IDENTITY_UUID.toString() + "',null,1,1);"
+ "INSERT INTO acl_object_identity(ID,OBJECT_ID_CLASS,OBJECT_ID_IDENTITY,PARENT_OBJECT,OWNER_SID,ENTRIES_INHERITING) VALUES (5,3,'"
+ OBJECT_IDENTITY_LONG_AS_UUID + "',null,1,1);"
+ "INSERT INTO acl_entry(ID,ACL_OBJECT_IDENTITY,ACE_ORDER,SID,MASK,GRANTING,AUDIT_SUCCESS,AUDIT_FAILURE) VALUES (5,4,0,1,8,0,0,0);"
+ "INSERT INTO acl_entry(ID,ACL_OBJECT_IDENTITY,ACE_ORDER,SID,MASK,GRANTING,AUDIT_SUCCESS,AUDIT_FAILURE) VALUES (6,5,0,1,8,0,0,0);";
String query = "INSERT INTO acl_class(ID,CLASS,CLASS_ID_TYPE) VALUES (3,'" + TARGET_CLASS_WITH_UUID
+ "', 'java.util.UUID');"
+ "INSERT INTO acl_object_identity(ID,OBJECT_ID_CLASS,OBJECT_ID_IDENTITY,PARENT_OBJECT,OWNER_SID,ENTRIES_INHERITING) VALUES (4,3,'"
+ OBJECT_IDENTITY_UUID.toString() + "',null,1,1);"
+ "INSERT INTO acl_object_identity(ID,OBJECT_ID_CLASS,OBJECT_ID_IDENTITY,PARENT_OBJECT,OWNER_SID,ENTRIES_INHERITING) VALUES (5,3,'"
+ OBJECT_IDENTITY_LONG_AS_UUID + "',null,1,1);"
+ "INSERT INTO acl_entry(ID,ACL_OBJECT_IDENTITY,ACE_ORDER,SID,MASK,GRANTING,AUDIT_SUCCESS,AUDIT_FAILURE) VALUES (5,4,0,1,8,0,0,0);"
+ "INSERT INTO acl_entry(ID,ACL_OBJECT_IDENTITY,ACE_ORDER,SID,MASK,GRANTING,AUDIT_SUCCESS,AUDIT_FAILURE) VALUES (6,5,0,1,8,0,0,0);";
DATABASE_HELPER.getJdbcTemplate().execute(query);
}
@Test
public void testReadObjectIdentityUsingUuidType() {
ObjectIdentity oid = new ObjectIdentityImpl(TARGET_CLASS_WITH_UUID, OBJECT_IDENTITY_UUID);
Map<ObjectIdentity, Acl> foundAcls = uuidEnabledStrategy.readAclsById(Arrays.asList(oid), Arrays.asList(BEN_SID));
Map<ObjectIdentity, Acl> foundAcls = this.uuidEnabledStrategy.readAclsById(Arrays.asList(oid),
Arrays.asList(BEN_SID));
Assert.assertEquals(1, foundAcls.size());
Assert.assertNotNull(foundAcls.get(oid));
}
@ -102,7 +104,8 @@ public class BasicLookupStrategyWithAclClassTypeTests extends AbstractBasicLooku
@Test
public void testReadObjectIdentityUsingLongTypeWithConversionServiceEnabled() {
ObjectIdentity oid = new ObjectIdentityImpl(TARGET_CLASS, 100L);
Map<ObjectIdentity, Acl> foundAcls = uuidEnabledStrategy.readAclsById(Arrays.asList(oid), Arrays.asList(BEN_SID));
Map<ObjectIdentity, Acl> foundAcls = this.uuidEnabledStrategy.readAclsById(Arrays.asList(oid),
Arrays.asList(BEN_SID));
Assert.assertEquals(1, foundAcls.size());
Assert.assertNotNull(foundAcls.get(oid));
}
@ -110,6 +113,7 @@ public class BasicLookupStrategyWithAclClassTypeTests extends AbstractBasicLooku
@Test(expected = ConversionFailedException.class)
public void testReadObjectIdentityUsingNonUuidInDatabase() {
ObjectIdentity oid = new ObjectIdentityImpl(TARGET_CLASS_WITH_UUID, OBJECT_IDENTITY_LONG_AS_UUID);
uuidEnabledStrategy.readAclsById(Arrays.asList(oid), Arrays.asList(BEN_SID));
this.uuidEnabledStrategy.readAclsById(Arrays.asList(oid), Arrays.asList(BEN_SID));
}
}

17
acl/src/test/java/org/springframework/security/acls/jdbc/DatabaseSeeder.java
View File

@ -13,34 +13,31 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.jdbc;
import org.springframework.core.io.Resource;
import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.util.Assert;
import org.springframework.util.FileCopyUtils;
import java.io.IOException;
import javax.sql.DataSource;
import org.springframework.core.io.Resource;
import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.util.Assert;
import org.springframework.util.FileCopyUtils;
/**
* Seeds the database for {@link JdbcMutableAclServiceTests}.
*
* @author Ben Alex
*/
public class DatabaseSeeder {
// ~ Constructors
// ===================================================================================================
public DatabaseSeeder(DataSource dataSource, Resource resource) throws IOException {
Assert.notNull(dataSource, "dataSource required");
Assert.notNull(resource, "resource required");
JdbcTemplate template = new JdbcTemplate(dataSource);
String sql = new String(FileCopyUtils.copyToByteArray(resource.getInputStream()));
template.execute(sql);
}
}

199
acl/src/test/java/org/springframework/security/acls/jdbc/EhCacheBasedAclCacheTests.java
View File

@ -13,10 +13,8 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.jdbc;
import static org.mockito.Mockito.*;
import static org.assertj.core.api.Assertions.*;
package org.springframework.security.acls.jdbc;
import java.io.File;
import java.io.FileInputStream;
@ -28,7 +26,6 @@ import java.util.List;
import net.sf.ehcache.Ehcache;
import net.sf.ehcache.Element;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
@ -37,7 +34,14 @@ import org.mockito.ArgumentCaptor;
import org.mockito.Captor;
import org.mockito.Mock;
import org.mockito.junit.MockitoJUnitRunner;
import org.springframework.security.acls.domain.*;
import org.springframework.security.acls.domain.AclAuthorizationStrategy;
import org.springframework.security.acls.domain.AclAuthorizationStrategyImpl;
import org.springframework.security.acls.domain.AclImpl;
import org.springframework.security.acls.domain.ConsoleAuditLogger;
import org.springframework.security.acls.domain.DefaultPermissionGrantingStrategy;
import org.springframework.security.acls.domain.EhCacheBasedAclCache;
import org.springframework.security.acls.domain.ObjectIdentityImpl;
import org.springframework.security.acls.model.MutableAcl;
import org.springframework.security.acls.model.ObjectIdentity;
import org.springframework.security.authentication.TestingAuthenticationToken;
@ -47,6 +51,12 @@ import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.util.FieldUtils;
import org.springframework.test.util.ReflectionTestUtils;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.fail;
import static org.mockito.BDDMockito.given;
import static org.mockito.Mockito.times;
import static org.mockito.Mockito.verify;
/**
* Tests {@link EhCacheBasedAclCache}
*
@ -54,10 +64,12 @@ import org.springframework.test.util.ReflectionTestUtils;
*/
@RunWith(MockitoJUnitRunner.class)
public class EhCacheBasedAclCacheTests {
private static final String TARGET_CLASS = "org.springframework.security.acls.TargetObject";
@Mock
private Ehcache cache;
@Captor
private ArgumentCaptor<Element> element;
@ -67,17 +79,14 @@ public class EhCacheBasedAclCacheTests {
@Before
public void setup() {
myCache = new EhCacheBasedAclCache(cache, new DefaultPermissionGrantingStrategy(
new ConsoleAuditLogger()), new AclAuthorizationStrategyImpl(
new SimpleGrantedAuthority("ROLE_USER")));
this.myCache = new EhCacheBasedAclCache(this.cache,
new DefaultPermissionGrantingStrategy(new ConsoleAuditLogger()),
new AclAuthorizationStrategyImpl(new SimpleGrantedAuthority("ROLE_USER")));
ObjectIdentity identity = new ObjectIdentityImpl(TARGET_CLASS, 100L);
AclAuthorizationStrategy aclAuthorizationStrategy = new AclAuthorizationStrategyImpl(
new SimpleGrantedAuthority("ROLE_OWNERSHIP"), new SimpleGrantedAuthority(
"ROLE_AUDITING"), new SimpleGrantedAuthority("ROLE_GENERAL"));
acl = new AclImpl(identity, 1L, aclAuthorizationStrategy,
new ConsoleAuditLogger());
new SimpleGrantedAuthority("ROLE_OWNERSHIP"), new SimpleGrantedAuthority("ROLE_AUDITING"),
new SimpleGrantedAuthority("ROLE_GENERAL"));
this.acl = new AclImpl(identity, 1L, aclAuthorizationStrategy, new ConsoleAuditLogger());
}
@After
@ -87,48 +96,43 @@ public class EhCacheBasedAclCacheTests {
@Test(expected = IllegalArgumentException.class)
public void constructorRejectsNullParameters() {
new EhCacheBasedAclCache(null, new DefaultPermissionGrantingStrategy(
new ConsoleAuditLogger()), new AclAuthorizationStrategyImpl(
new SimpleGrantedAuthority("ROLE_USER")));
new EhCacheBasedAclCache(null, new DefaultPermissionGrantingStrategy(new ConsoleAuditLogger()),
new AclAuthorizationStrategyImpl(new SimpleGrantedAuthority("ROLE_USER")));
}
@Test
public void methodsRejectNullParameters() {
try {
Serializable id = null;
myCache.evictFromCache(id);
this.myCache.evictFromCache(id);
fail("It should have thrown IllegalArgumentException");
}
catch (IllegalArgumentException expected) {
}
try {
ObjectIdentity obj = null;
myCache.evictFromCache(obj);
this.myCache.evictFromCache(obj);
fail("It should have thrown IllegalArgumentException");
}
catch (IllegalArgumentException expected) {
}
try {
Serializable id = null;
myCache.getFromCache(id);
this.myCache.getFromCache(id);
fail("It should have thrown IllegalArgumentException");
}
catch (IllegalArgumentException expected) {
}
try {
ObjectIdentity obj = null;
myCache.getFromCache(obj);
this.myCache.getFromCache(obj);
fail("It should have thrown IllegalArgumentException");
}
catch (IllegalArgumentException expected) {
}
try {
MutableAcl acl = null;
myCache.putInCache(acl);
this.myCache.putInCache(acl);
fail("It should have thrown IllegalArgumentException");
}
catch (IllegalArgumentException expected) {
@ -142,146 +146,107 @@ public class EhCacheBasedAclCacheTests {
File file = File.createTempFile("SEC_TEST", ".object");
FileOutputStream fos = new FileOutputStream(file);
ObjectOutputStream oos = new ObjectOutputStream(fos);
oos.writeObject(acl);
oos.writeObject(this.acl);
oos.close();
FileInputStream fis = new FileInputStream(file);
ObjectInputStream ois = new ObjectInputStream(fis);
MutableAcl retrieved = (MutableAcl) ois.readObject();
ois.close();
assertThat(retrieved).isEqualTo(acl);
Object retrieved1 = FieldUtils.getProtectedFieldValue("aclAuthorizationStrategy",
retrieved);
assertThat(retrieved).isEqualTo(this.acl);
Object retrieved1 = FieldUtils.getProtectedFieldValue("aclAuthorizationStrategy", retrieved);
assertThat(retrieved1).isNull();
Object retrieved2 = FieldUtils.getProtectedFieldValue(
"permissionGrantingStrategy", retrieved);
Object retrieved2 = FieldUtils.getProtectedFieldValue("permissionGrantingStrategy", retrieved);
assertThat(retrieved2).isNull();
}
@Test
public void clearCache() {
myCache.clearCache();
verify(cache).removeAll();
this.myCache.clearCache();
verify(this.cache).removeAll();
}
@Test
public void putInCache() {
myCache.putInCache(acl);
verify(cache, times(2)).put(element.capture());
assertThat(element.getValue().getKey()).isEqualTo(acl.getId());
assertThat(element.getValue().getObjectValue()).isEqualTo(acl);
assertThat(element.getAllValues().get(0).getKey()).isEqualTo(
acl.getObjectIdentity());
assertThat(element.getAllValues().get(0).getObjectValue()).isEqualTo(acl);
this.myCache.putInCache(this.acl);
verify(this.cache, times(2)).put(this.element.capture());
assertThat(this.element.getValue().getKey()).isEqualTo(this.acl.getId());
assertThat(this.element.getValue().getObjectValue()).isEqualTo(this.acl);
assertThat(this.element.getAllValues().get(0).getKey()).isEqualTo(this.acl.getObjectIdentity());
assertThat(this.element.getAllValues().get(0).getObjectValue()).isEqualTo(this.acl);
}
@Test
public void putInCacheAclWithParent() {
Authentication auth = new TestingAuthenticationToken("user", "password",
"ROLE_GENERAL");
Authentication auth = new TestingAuthenticationToken("user", "password", "ROLE_GENERAL");
auth.setAuthenticated(true);
SecurityContextHolder.getContext().setAuthentication(auth);
ObjectIdentity identityParent = new ObjectIdentityImpl(TARGET_CLASS,
2L);
ObjectIdentity identityParent = new ObjectIdentityImpl(TARGET_CLASS, 2L);
AclAuthorizationStrategy aclAuthorizationStrategy = new AclAuthorizationStrategyImpl(
new SimpleGrantedAuthority("ROLE_OWNERSHIP"), new SimpleGrantedAuthority(
"ROLE_AUDITING"), new SimpleGrantedAuthority("ROLE_GENERAL"));
MutableAcl parentAcl = new AclImpl(identityParent, 2L,
aclAuthorizationStrategy, new ConsoleAuditLogger());
acl.setParent(parentAcl);
myCache.putInCache(acl);
verify(cache, times(4)).put(element.capture());
List<Element> allValues = element.getAllValues();
new SimpleGrantedAuthority("ROLE_OWNERSHIP"), new SimpleGrantedAuthority("ROLE_AUDITING"),
new SimpleGrantedAuthority("ROLE_GENERAL"));
MutableAcl parentAcl = new AclImpl(identityParent, 2L, aclAuthorizationStrategy, new ConsoleAuditLogger());
this.acl.setParent(parentAcl);
this.myCache.putInCache(this.acl);
verify(this.cache, times(4)).put(this.element.capture());
List<Element> allValues = this.element.getAllValues();
assertThat(allValues.get(0).getKey()).isEqualTo(parentAcl.getObjectIdentity());
assertThat(allValues.get(0).getObjectValue()).isEqualTo(parentAcl);
assertThat(allValues.get(1).getKey()).isEqualTo(parentAcl.getId());
assertThat(allValues.get(1).getObjectValue()).isEqualTo(parentAcl);
assertThat(allValues.get(2).getKey()).isEqualTo(acl.getObjectIdentity());
assertThat(allValues.get(2).getObjectValue()).isEqualTo(acl);
assertThat(allValues.get(3).getKey()).isEqualTo(acl.getId());
assertThat(allValues.get(3).getObjectValue()).isEqualTo(acl);
assertThat(allValues.get(2).getKey()).isEqualTo(this.acl.getObjectIdentity());
assertThat(allValues.get(2).getObjectValue()).isEqualTo(this.acl);
assertThat(allValues.get(3).getKey()).isEqualTo(this.acl.getId());
assertThat(allValues.get(3).getObjectValue()).isEqualTo(this.acl);
}
@Test
public void getFromCacheSerializable() {
when(cache.get(acl.getId())).thenReturn(new Element(acl.getId(), acl));
assertThat(myCache.getFromCache(acl.getId())).isEqualTo(acl);
given(this.cache.get(this.acl.getId())).willReturn(new Element(this.acl.getId(), this.acl));
assertThat(this.myCache.getFromCache(this.acl.getId())).isEqualTo(this.acl);
}
@Test
public void getFromCacheSerializablePopulatesTransient() {
when(cache.get(acl.getId())).thenReturn(new Element(acl.getId(), acl));
myCache.putInCache(acl);
ReflectionTestUtils.setField(acl, "permissionGrantingStrategy", null);
ReflectionTestUtils.setField(acl, "aclAuthorizationStrategy", null);
MutableAcl fromCache = myCache.getFromCache(acl.getId());
assertThat(ReflectionTestUtils.getField(fromCache, "aclAuthorizationStrategy"))
.isNotNull();
assertThat(ReflectionTestUtils.getField(fromCache, "permissionGrantingStrategy"))
.isNotNull();
given(this.cache.get(this.acl.getId())).willReturn(new Element(this.acl.getId(), this.acl));
this.myCache.putInCache(this.acl);
ReflectionTestUtils.setField(this.acl, "permissionGrantingStrategy", null);
ReflectionTestUtils.setField(this.acl, "aclAuthorizationStrategy", null);
MutableAcl fromCache = this.myCache.getFromCache(this.acl.getId());
assertThat(ReflectionTestUtils.getField(fromCache, "aclAuthorizationStrategy")).isNotNull();
assertThat(ReflectionTestUtils.getField(fromCache, "permissionGrantingStrategy")).isNotNull();
}
@Test
public void getFromCacheObjectIdentity() {
when(cache.get(acl.getId())).thenReturn(new Element(acl.getId(), acl));
assertThat(myCache.getFromCache(acl.getId())).isEqualTo(acl);
given(this.cache.get(this.acl.getId())).willReturn(new Element(this.acl.getId(), this.acl));
assertThat(this.myCache.getFromCache(this.acl.getId())).isEqualTo(this.acl);
}
@Test
public void getFromCacheObjectIdentityPopulatesTransient() {
when(cache.get(acl.getObjectIdentity()))
.thenReturn(new Element(acl.getId(), acl));
myCache.putInCache(acl);
ReflectionTestUtils.setField(acl, "permissionGrantingStrategy", null);
ReflectionTestUtils.setField(acl, "aclAuthorizationStrategy", null);
MutableAcl fromCache = myCache.getFromCache(acl.getObjectIdentity());
assertThat(ReflectionTestUtils.getField(fromCache, "aclAuthorizationStrategy"))
.isNotNull();
assertThat(ReflectionTestUtils.getField(fromCache, "permissionGrantingStrategy"))
.isNotNull();
given(this.cache.get(this.acl.getObjectIdentity())).willReturn(new Element(this.acl.getId(), this.acl));
this.myCache.putInCache(this.acl);
ReflectionTestUtils.setField(this.acl, "permissionGrantingStrategy", null);
ReflectionTestUtils.setField(this.acl, "aclAuthorizationStrategy", null);
MutableAcl fromCache = this.myCache.getFromCache(this.acl.getObjectIdentity());
assertThat(ReflectionTestUtils.getField(fromCache, "aclAuthorizationStrategy")).isNotNull();
assertThat(ReflectionTestUtils.getField(fromCache, "permissionGrantingStrategy")).isNotNull();
}
@Test
public void evictCacheSerializable() {
when(cache.get(acl.getObjectIdentity()))
.thenReturn(new Element(acl.getId(), acl));
myCache.evictFromCache(acl.getObjectIdentity());
verify(cache).remove(acl.getId());
verify(cache).remove(acl.getObjectIdentity());
given(this.cache.get(this.acl.getObjectIdentity())).willReturn(new Element(this.acl.getId(), this.acl));
this.myCache.evictFromCache(this.acl.getObjectIdentity());
verify(this.cache).remove(this.acl.getId());
verify(this.cache).remove(this.acl.getObjectIdentity());
}
@Test
public void evictCacheObjectIdentity() {
when(cache.get(acl.getId())).thenReturn(new Element(acl.getId(), acl));
myCache.evictFromCache(acl.getId());
verify(cache).remove(acl.getId());
verify(cache).remove(acl.getObjectIdentity());
given(this.cache.get(this.acl.getId())).willReturn(new Element(this.acl.getId(), this.acl));
this.myCache.evictFromCache(this.acl.getId());
verify(this.cache).remove(this.acl.getId());
verify(this.cache).remove(this.acl.getObjectIdentity());
}
}

107
acl/src/test/java/org/springframework/security/acls/jdbc/JdbcAclServiceTests.java
View File

@ -13,14 +13,25 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.jdbc;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import javax.sql.DataSource;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.junit.MockitoJUnitRunner;
import org.springframework.jdbc.core.JdbcOperations;
import org.springframework.jdbc.core.RowMapper;
import org.springframework.jdbc.datasource.embedded.EmbeddedDatabase;
@ -32,17 +43,15 @@ import org.springframework.security.acls.model.NotFoundException;
import org.springframework.security.acls.model.ObjectIdentity;
import org.springframework.security.acls.model.Sid;
import javax.sql.DataSource;
import java.util.*;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.AdditionalMatchers.aryEq;
import static org.mockito.ArgumentMatchers.*;
import static org.mockito.Mockito.when;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.anyList;
import static org.mockito.ArgumentMatchers.anyString;
import static org.mockito.ArgumentMatchers.eq;
import static org.mockito.BDDMockito.given;
/**
* Unit and Integration tests the ACL JdbcAclService using an
* in-memory database.
* Unit and Integration tests the ACL JdbcAclService using an in-memory database.
*
* @author Nena Raab
*/
@ -61,51 +70,48 @@ public class JdbcAclServiceTests {
JdbcOperations jdbcOperations;
private JdbcAclService aclServiceIntegration;
private JdbcAclService aclService;
@Before
public void setUp() {
aclService = new JdbcAclService(jdbcOperations, lookupStrategy);
aclServiceIntegration = new JdbcAclService(embeddedDatabase, lookupStrategy);
this.aclService = new JdbcAclService(this.jdbcOperations, this.lookupStrategy);
this.aclServiceIntegration = new JdbcAclService(this.embeddedDatabase, this.lookupStrategy);
}
@Before
public void setUpEmbeddedDatabase() {
embeddedDatabase = new EmbeddedDatabaseBuilder()//
.addScript("createAclSchemaWithAclClassIdType.sql")
.addScript("db/sql/test_data_hierarchy.sql")
.build();
// @formatter:off
this.embeddedDatabase = new EmbeddedDatabaseBuilder()
.addScript("createAclSchemaWithAclClassIdType.sql")
.addScript("db/sql/test_data_hierarchy.sql")
.build();
// @formatter:on
}
@After
public void tearDownEmbeddedDatabase() {
embeddedDatabase.shutdown();
this.embeddedDatabase.shutdown();
}
// SEC-1898
@Test(expected = NotFoundException.class)
public void readAclByIdMissingAcl() {
Map<ObjectIdentity, Acl> result = new HashMap<>();
when(
lookupStrategy.readAclsById(anyList(),
anyList())).thenReturn(result);
given(this.lookupStrategy.readAclsById(anyList(), anyList())).willReturn(result);
ObjectIdentity objectIdentity = new ObjectIdentityImpl(Object.class, 1);
List<Sid> sids = Arrays.<Sid>asList(new PrincipalSid("user"));
aclService.readAclById(objectIdentity, sids);
this.aclService.readAclById(objectIdentity, sids);
}
@Test
public void findOneChildren() {
List<ObjectIdentity> result = new ArrayList<>();
result.add(new ObjectIdentityImpl(Object.class, "5577"));
Object[] args = {"1", "org.springframework.security.acls.jdbc.JdbcAclServiceTests$MockLongIdDomainObject"};
when(
jdbcOperations.query(anyString(),
aryEq(args), any(RowMapper.class))).thenReturn(result);
Object[] args = { "1", "org.springframework.security.acls.jdbc.JdbcAclServiceTests$MockLongIdDomainObject" };
given(this.jdbcOperations.query(anyString(), eq(args), any(RowMapper.class))).willReturn(result);
ObjectIdentity objectIdentity = new ObjectIdentityImpl(MockLongIdDomainObject.class, 1L);
List<ObjectIdentity> objectIdentities = aclService.findChildren(objectIdentity);
List<ObjectIdentity> objectIdentities = this.aclService.findChildren(objectIdentity);
assertThat(objectIdentities.size()).isEqualTo(1);
assertThat(objectIdentities.get(0).getIdentifier()).isEqualTo("5577");
}
@ -113,19 +119,14 @@ public class JdbcAclServiceTests {
@Test
public void findNoChildren() {
ObjectIdentity objectIdentity = new ObjectIdentityImpl(MockLongIdDomainObject.class, 1L);
List<ObjectIdentity> objectIdentities = aclService.findChildren(objectIdentity);
List<ObjectIdentity> objectIdentities = this.aclService.findChildren(objectIdentity);
assertThat(objectIdentities).isNull();
}
// ~ Some integration tests
// ========================================================================================================
@Test
public void findChildrenWithoutIdType() {
ObjectIdentity objectIdentity = new ObjectIdentityImpl(MockLongIdDomainObject.class, 4711L);
List<ObjectIdentity> objectIdentities = aclServiceIntegration.findChildren(objectIdentity);
List<ObjectIdentity> objectIdentities = this.aclServiceIntegration.findChildren(objectIdentity);
assertThat(objectIdentities.size()).isEqualTo(1);
assertThat(objectIdentities.get(0).getType()).isEqualTo(MockUntypedIdDomainObject.class.getName());
assertThat(objectIdentities.get(0).getIdentifier()).isEqualTo(5000L);
@ -134,16 +135,14 @@ public class JdbcAclServiceTests {
@Test
public void findChildrenForUnknownObject() {
ObjectIdentity objectIdentity = new ObjectIdentityImpl(Object.class, 33);
List<ObjectIdentity> objectIdentities = aclServiceIntegration.findChildren(objectIdentity);
List<ObjectIdentity> objectIdentities = this.aclServiceIntegration.findChildren(objectIdentity);
assertThat(objectIdentities).isNull();
}
@Test
public void findChildrenOfIdTypeLong() {
ObjectIdentity objectIdentity = new ObjectIdentityImpl("location", "US-PAL");
List<ObjectIdentity> objectIdentities = aclServiceIntegration.findChildren(objectIdentity);
List<ObjectIdentity> objectIdentities = this.aclServiceIntegration.findChildren(objectIdentity);
assertThat(objectIdentities.size()).isEqualTo(2);
assertThat(objectIdentities.get(0).getType()).isEqualTo(MockLongIdDomainObject.class.getName());
assertThat(objectIdentities.get(0).getIdentifier()).isEqualTo(4711L);
@ -154,9 +153,8 @@ public class JdbcAclServiceTests {
@Test
public void findChildrenOfIdTypeString() {
ObjectIdentity objectIdentity = new ObjectIdentityImpl("location", "US");
aclServiceIntegration.setAclClassIdSupported(true);
List<ObjectIdentity> objectIdentities = aclServiceIntegration.findChildren(objectIdentity);
this.aclServiceIntegration.setAclClassIdSupported(true);
List<ObjectIdentity> objectIdentities = this.aclServiceIntegration.findChildren(objectIdentity);
assertThat(objectIdentities.size()).isEqualTo(1);
assertThat(objectIdentities.get(0).getType()).isEqualTo("location");
assertThat(objectIdentities.get(0).getIdentifier()).isEqualTo("US-PAL");
@ -165,35 +163,40 @@ public class JdbcAclServiceTests {
@Test
public void findChildrenOfIdTypeUUID() {
ObjectIdentity objectIdentity = new ObjectIdentityImpl(MockUntypedIdDomainObject.class, 5000L);
aclServiceIntegration.setAclClassIdSupported(true);
List<ObjectIdentity> objectIdentities = aclServiceIntegration.findChildren(objectIdentity);
this.aclServiceIntegration.setAclClassIdSupported(true);
List<ObjectIdentity> objectIdentities = this.aclServiceIntegration.findChildren(objectIdentity);
assertThat(objectIdentities.size()).isEqualTo(1);
assertThat(objectIdentities.get(0).getType()).isEqualTo("costcenter");
assertThat(objectIdentities.get(0).getIdentifier()).isEqualTo(UUID.fromString("25d93b3f-c3aa-4814-9d5e-c7c96ced7762"));
assertThat(objectIdentities.get(0).getIdentifier())
.isEqualTo(UUID.fromString("25d93b3f-c3aa-4814-9d5e-c7c96ced7762"));
}
private class MockLongIdDomainObject {
class MockLongIdDomainObject {
private Object id;
public Object getId() {
return id;
Object getId() {
return this.id;
}
public void setId(Object id) {
void setId(Object id) {
this.id = id;
}
}
private class MockUntypedIdDomainObject {
class MockUntypedIdDomainObject {
private Object id;
public Object getId() {
return id;
Object getId() {
return this.id;
}
public void setId(Object id) {
void setId(Object id) {
this.id = id;
}
}
}

355
acl/src/test/java/org/springframework/security/acls/jdbc/JdbcMutableAclServiceTests.java
View File

@ -13,10 +13,8 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.jdbc;
import static org.assertj.core.api.Assertions.*;
import static org.mockito.Mockito.*;
package org.springframework.security.acls.jdbc;
import java.util.Arrays;
import java.util.List;
@ -25,6 +23,7 @@ import java.util.Map;
import javax.sql.DataSource;
import org.junit.Test;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.core.io.ClassPathResource;
import org.springframework.jdbc.core.JdbcTemplate;
@ -55,6 +54,11 @@ import org.springframework.test.context.transaction.AfterTransaction;
import org.springframework.test.context.transaction.BeforeTransaction;
import org.springframework.transaction.annotation.Transactional;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.fail;
import static org.mockito.BDDMockito.given;
import static org.mockito.Mockito.spy;
/**
* Integration tests the ACL system using an in-memory database.
*
@ -62,56 +66,49 @@ import org.springframework.transaction.annotation.Transactional;
* @author Andrei Stefan
*/
@ContextConfiguration(locations = { "/jdbcMutableAclServiceTests-context.xml" })
public class JdbcMutableAclServiceTests extends
AbstractTransactionalJUnit4SpringContextTests {
// ~ Constant fields
// ================================================================================================
public class JdbcMutableAclServiceTests extends AbstractTransactionalJUnit4SpringContextTests {
private static final String TARGET_CLASS = TargetObject.class.getName();
private final Authentication auth = new TestingAuthenticationToken("ben", "ignored",
"ROLE_ADMINISTRATOR");
private final Authentication auth = new TestingAuthenticationToken("ben", "ignored", "ROLE_ADMINISTRATOR");
public static final String SELECT_ALL_CLASSES = "SELECT * FROM acl_class WHERE class = ?";
// ~ Instance fields
// ================================================================================================
private final ObjectIdentity topParentOid = new ObjectIdentityImpl(TARGET_CLASS, 100L);
private final ObjectIdentity topParentOid = new ObjectIdentityImpl(TARGET_CLASS,
100L);
private final ObjectIdentity middleParentOid = new ObjectIdentityImpl(TARGET_CLASS,
101L);
private final ObjectIdentity childOid = new ObjectIdentityImpl(TARGET_CLASS,
102L);
private final ObjectIdentity middleParentOid = new ObjectIdentityImpl(TARGET_CLASS, 101L);
private final ObjectIdentity childOid = new ObjectIdentityImpl(TARGET_CLASS, 102L);
@Autowired
private JdbcMutableAclService jdbcMutableAclService;
@Autowired
private AclCache aclCache;
@Autowired
private LookupStrategy lookupStrategy;
@Autowired
private DataSource dataSource;
@Autowired
private JdbcTemplate jdbcTemplate;
// ~ Methods
// ========================================================================================================
protected String getSqlClassPathResource() {
return "createAclSchema.sql";
}
protected ObjectIdentity getTopParentOid() {
return topParentOid;
return this.topParentOid;
}
protected ObjectIdentity getMiddleParentOid() {
return middleParentOid;
return this.middleParentOid;
}
protected ObjectIdentity getChildOid() {
return childOid;
return this.childOid;
}
protected String getTargetClass() {
@ -121,162 +118,134 @@ public class JdbcMutableAclServiceTests extends
@BeforeTransaction
public void createTables() throws Exception {
try {
new DatabaseSeeder(dataSource, new ClassPathResource(getSqlClassPathResource()));
new DatabaseSeeder(this.dataSource, new ClassPathResource(getSqlClassPathResource()));
// new DatabaseSeeder(dataSource, new
// ClassPathResource("createAclSchemaPostgres.sql"));
}
catch (Exception e) {
e.printStackTrace();
throw e;
catch (Exception ex) {
ex.printStackTrace();
throw ex;
}
}
@AfterTransaction
public void clearContextAndData() {
SecurityContextHolder.clearContext();
jdbcTemplate.execute("drop table acl_entry");
jdbcTemplate.execute("drop table acl_object_identity");
jdbcTemplate.execute("drop table acl_class");
jdbcTemplate.execute("drop table acl_sid");
aclCache.clearCache();
this.jdbcTemplate.execute("drop table acl_entry");
this.jdbcTemplate.execute("drop table acl_object_identity");
this.jdbcTemplate.execute("drop table acl_class");
this.jdbcTemplate.execute("drop table acl_sid");
this.aclCache.clearCache();
}
@Test
@Transactional
public void testLifecycle() {
SecurityContextHolder.getContext().setAuthentication(auth);
MutableAcl topParent = jdbcMutableAclService.createAcl(getTopParentOid());
MutableAcl middleParent = jdbcMutableAclService.createAcl(getMiddleParentOid());
MutableAcl child = jdbcMutableAclService.createAcl(getChildOid());
SecurityContextHolder.getContext().setAuthentication(this.auth);
MutableAcl topParent = this.jdbcMutableAclService.createAcl(getTopParentOid());
MutableAcl middleParent = this.jdbcMutableAclService.createAcl(getMiddleParentOid());
MutableAcl child = this.jdbcMutableAclService.createAcl(getChildOid());
// Specify the inheritance hierarchy
middleParent.setParent(topParent);
child.setParent(middleParent);
// Now let's add a couple of permissions
topParent.insertAce(0, BasePermission.READ, new PrincipalSid(auth), true);
topParent.insertAce(1, BasePermission.WRITE, new PrincipalSid(auth), false);
middleParent.insertAce(0, BasePermission.DELETE, new PrincipalSid(auth), true);
child.insertAce(0, BasePermission.DELETE, new PrincipalSid(auth), false);
topParent.insertAce(0, BasePermission.READ, new PrincipalSid(this.auth), true);
topParent.insertAce(1, BasePermission.WRITE, new PrincipalSid(this.auth), false);
middleParent.insertAce(0, BasePermission.DELETE, new PrincipalSid(this.auth), true);
child.insertAce(0, BasePermission.DELETE, new PrincipalSid(this.auth), false);
// Explicitly save the changed ACL
jdbcMutableAclService.updateAcl(topParent);
jdbcMutableAclService.updateAcl(middleParent);
jdbcMutableAclService.updateAcl(child);
this.jdbcMutableAclService.updateAcl(topParent);
this.jdbcMutableAclService.updateAcl(middleParent);
this.jdbcMutableAclService.updateAcl(child);
// Let's check if we can read them back correctly
Map<ObjectIdentity, Acl> map = jdbcMutableAclService.readAclsById(Arrays.asList(
getTopParentOid(), getMiddleParentOid(), getChildOid()));
Map<ObjectIdentity, Acl> map = this.jdbcMutableAclService
.readAclsById(Arrays.asList(getTopParentOid(), getMiddleParentOid(), getChildOid()));
assertThat(map).hasSize(3);
// Replace our current objects with their retrieved versions
topParent = (MutableAcl) map.get(getTopParentOid());
middleParent = (MutableAcl) map.get(getMiddleParentOid());
child = (MutableAcl) map.get(getChildOid());
// Check the retrieved versions has IDs
assertThat(topParent.getId()).isNotNull();
assertThat(middleParent.getId()).isNotNull();
assertThat(child.getId()).isNotNull();
// Check their parents were correctly persisted
assertThat(topParent.getParentAcl()).isNull();
assertThat(middleParent.getParentAcl().getObjectIdentity()).isEqualTo(getTopParentOid());
assertThat(child.getParentAcl().getObjectIdentity()).isEqualTo(getMiddleParentOid());
// Check their ACEs were correctly persisted
assertThat(topParent.getEntries()).hasSize(2);
assertThat(middleParent.getEntries()).hasSize(1);
assertThat(child.getEntries()).hasSize(1);
// Check the retrieved rights are correct
List<Permission> read = Arrays.asList(BasePermission.READ);
List<Permission> write = Arrays.asList(BasePermission.WRITE);
List<Permission> delete = Arrays.asList(BasePermission.DELETE);
List<Sid> pSid = Arrays.asList((Sid) new PrincipalSid(auth));
List<Sid> pSid = Arrays.asList((Sid) new PrincipalSid(this.auth));
assertThat(topParent.isGranted(read, pSid, false)).isTrue();
assertThat(topParent.isGranted(write, pSid, false)).isFalse();
assertThat(middleParent.isGranted(delete, pSid, false)).isTrue();
assertThat(child.isGranted(delete, pSid, false)).isFalse();
try {
child.isGranted(Arrays.asList(BasePermission.ADMINISTRATION), pSid, false);
fail("Should have thrown NotFoundException");
}
catch (NotFoundException expected) {
}
// Now check the inherited rights (when not explicitly overridden) also look OK
assertThat(child.isGranted(read, pSid, false)).isTrue();
assertThat(child.isGranted(write, pSid, false)).isFalse();
assertThat(child.isGranted(delete, pSid, false)).isFalse();
// Next change the child so it doesn't inherit permissions from above
child.setEntriesInheriting(false);
jdbcMutableAclService.updateAcl(child);
child = (MutableAcl) jdbcMutableAclService.readAclById(getChildOid());
this.jdbcMutableAclService.updateAcl(child);
child = (MutableAcl) this.jdbcMutableAclService.readAclById(getChildOid());
assertThat(child.isEntriesInheriting()).isFalse();
// Check the child permissions no longer inherit
assertThat(child.isGranted(delete, pSid, true)).isFalse();
try {
child.isGranted(read, pSid, true);
fail("Should have thrown NotFoundException");
}
catch (NotFoundException expected) {
}
try {
child.isGranted(write, pSid, true);
fail("Should have thrown NotFoundException");
}
catch (NotFoundException expected) {
}
// Let's add an identical permission to the child, but it'll appear AFTER the
// current permission, so has no impact
child.insertAce(1, BasePermission.DELETE, new PrincipalSid(auth), true);
child.insertAce(1, BasePermission.DELETE, new PrincipalSid(this.auth), true);
// Let's also add another permission to the child
child.insertAce(2, BasePermission.CREATE, new PrincipalSid(auth), true);
child.insertAce(2, BasePermission.CREATE, new PrincipalSid(this.auth), true);
// Save the changed child
jdbcMutableAclService.updateAcl(child);
child = (MutableAcl) jdbcMutableAclService.readAclById(getChildOid());
this.jdbcMutableAclService.updateAcl(child);
child = (MutableAcl) this.jdbcMutableAclService.readAclById(getChildOid());
assertThat(child.getEntries()).hasSize(3);
// Output permissions
for (int i = 0; i < child.getEntries().size(); i++) {
System.out.println(child.getEntries().get(i));
}
// Check the permissions are as they should be
assertThat(child.isGranted(delete, pSid, true)).isFalse(); // as earlier permission
// overrode
assertThat(child.isGranted(delete, pSid, true)).isFalse(); // as earlier
// permission
// overrode
assertThat(child.isGranted(Arrays.asList(BasePermission.CREATE), pSid, true)).isTrue();
// Now check the first ACE (index 0) really is DELETE for our Sid and is
// non-granting
AccessControlEntry entry = child.getEntries().get(0);
assertThat(entry.getPermission().getMask()).isEqualTo(BasePermission.DELETE.getMask());
assertThat(entry.getSid()).isEqualTo(new PrincipalSid(auth));
assertThat(entry.getSid()).isEqualTo(new PrincipalSid(this.auth));
assertThat(entry.isGranting()).isFalse();
assertThat(entry.getId()).isNotNull();
// Now delete that first ACE
child.deleteAce(0);
// Save and check it worked
child = jdbcMutableAclService.updateAcl(child);
child = this.jdbcMutableAclService.updateAcl(child);
assertThat(child.getEntries()).hasSize(2);
assertThat(child.isGranted(delete, pSid, false)).isTrue();
SecurityContextHolder.clearContext();
}
@ -286,38 +255,31 @@ public class JdbcMutableAclServiceTests extends
@Test
@Transactional
public void deleteAclAlsoDeletesChildren() {
SecurityContextHolder.getContext().setAuthentication(auth);
jdbcMutableAclService.createAcl(getTopParentOid());
MutableAcl middleParent = jdbcMutableAclService.createAcl(getMiddleParentOid());
MutableAcl child = jdbcMutableAclService.createAcl(getChildOid());
SecurityContextHolder.getContext().setAuthentication(this.auth);
this.jdbcMutableAclService.createAcl(getTopParentOid());
MutableAcl middleParent = this.jdbcMutableAclService.createAcl(getMiddleParentOid());
MutableAcl child = this.jdbcMutableAclService.createAcl(getChildOid());
child.setParent(middleParent);
jdbcMutableAclService.updateAcl(middleParent);
jdbcMutableAclService.updateAcl(child);
this.jdbcMutableAclService.updateAcl(middleParent);
this.jdbcMutableAclService.updateAcl(child);
// Check the childOid really is a child of middleParentOid
Acl childAcl = jdbcMutableAclService.readAclById(getChildOid());
Acl childAcl = this.jdbcMutableAclService.readAclById(getChildOid());
assertThat(childAcl.getParentAcl().getObjectIdentity()).isEqualTo(getMiddleParentOid());
// Delete the mid-parent and test if the child was deleted, as well
jdbcMutableAclService.deleteAcl(getMiddleParentOid(), true);
this.jdbcMutableAclService.deleteAcl(getMiddleParentOid(), true);
try {
jdbcMutableAclService.readAclById(getMiddleParentOid());
this.jdbcMutableAclService.readAclById(getMiddleParentOid());
fail("It should have thrown NotFoundException");
}
catch (NotFoundException expected) {
}
try {
jdbcMutableAclService.readAclById(getChildOid());
this.jdbcMutableAclService.readAclById(getChildOid());
fail("It should have thrown NotFoundException");
}
catch (NotFoundException expected) {
}
Acl acl = jdbcMutableAclService.readAclById(getTopParentOid());
Acl acl = this.jdbcMutableAclService.readAclById(getTopParentOid());
assertThat(acl).isNotNull();
assertThat(getTopParentOid()).isEqualTo(acl.getObjectIdentity());
}
@ -325,21 +287,19 @@ public class JdbcMutableAclServiceTests extends
@Test
public void constructorRejectsNullParameters() {
try {
new JdbcMutableAclService(null, lookupStrategy, aclCache);
new JdbcMutableAclService(null, this.lookupStrategy, this.aclCache);
fail("It should have thrown IllegalArgumentException");
}
catch (IllegalArgumentException expected) {
}
try {
new JdbcMutableAclService(dataSource, null, aclCache);
new JdbcMutableAclService(this.dataSource, null, this.aclCache);
fail("It should have thrown IllegalArgumentException");
}
catch (IllegalArgumentException expected) {
}
try {
new JdbcMutableAclService(dataSource, lookupStrategy, null);
new JdbcMutableAclService(this.dataSource, this.lookupStrategy, null);
fail("It should have thrown IllegalArgumentException");
}
catch (IllegalArgumentException expected) {
@ -349,7 +309,7 @@ public class JdbcMutableAclServiceTests extends
@Test
public void createAclRejectsNullParameter() {
try {
jdbcMutableAclService.createAcl(null);
this.jdbcMutableAclService.createAcl(null);
fail("It should have thrown IllegalArgumentException");
}
catch (IllegalArgumentException expected) {
@ -359,13 +319,12 @@ public class JdbcMutableAclServiceTests extends
@Test
@Transactional
public void createAclForADuplicateDomainObject() {
SecurityContextHolder.getContext().setAuthentication(auth);
ObjectIdentity duplicateOid = new ObjectIdentityImpl(TARGET_CLASS,
100L);
jdbcMutableAclService.createAcl(duplicateOid);
SecurityContextHolder.getContext().setAuthentication(this.auth);
ObjectIdentity duplicateOid = new ObjectIdentityImpl(TARGET_CLASS, 100L);
this.jdbcMutableAclService.createAcl(duplicateOid);
// Try to add the same object second time
try {
jdbcMutableAclService.createAcl(duplicateOid);
this.jdbcMutableAclService.createAcl(duplicateOid);
fail("It should have thrown AlreadyExistsException");
}
catch (AlreadyExistsException expected) {
@ -376,7 +335,7 @@ public class JdbcMutableAclServiceTests extends
@Transactional
public void deleteAclRejectsNullParameters() {
try {
jdbcMutableAclService.deleteAcl(null, true);
this.jdbcMutableAclService.deleteAcl(null, true);
fail("It should have thrown IllegalArgumentException");
}
catch (IllegalArgumentException expected) {
@ -386,61 +345,52 @@ public class JdbcMutableAclServiceTests extends
@Test
@Transactional
public void deleteAclWithChildrenThrowsException() {
SecurityContextHolder.getContext().setAuthentication(auth);
MutableAcl parent = jdbcMutableAclService.createAcl(getTopParentOid());
MutableAcl child = jdbcMutableAclService.createAcl(getMiddleParentOid());
SecurityContextHolder.getContext().setAuthentication(this.auth);
MutableAcl parent = this.jdbcMutableAclService.createAcl(getTopParentOid());
MutableAcl child = this.jdbcMutableAclService.createAcl(getMiddleParentOid());
// Specify the inheritance hierarchy
child.setParent(parent);
jdbcMutableAclService.updateAcl(child);
this.jdbcMutableAclService.updateAcl(child);
try {
jdbcMutableAclService.setForeignKeysInDatabase(false); // switch on FK
// checking in the
// class, not database
jdbcMutableAclService.deleteAcl(getTopParentOid(), false);
this.jdbcMutableAclService.setForeignKeysInDatabase(false); // switch on FK
// checking in the
// class, not database
this.jdbcMutableAclService.deleteAcl(getTopParentOid(), false);
fail("It should have thrown ChildrenExistException");
}
catch (ChildrenExistException expected) {
}
finally {
jdbcMutableAclService.setForeignKeysInDatabase(true); // restore to the
// default
this.jdbcMutableAclService.setForeignKeysInDatabase(true); // restore to the
// default
}
}
@Test
@Transactional
public void deleteAclRemovesRowsFromDatabase() {
SecurityContextHolder.getContext().setAuthentication(auth);
MutableAcl child = jdbcMutableAclService.createAcl(getChildOid());
child.insertAce(0, BasePermission.DELETE, new PrincipalSid(auth), false);
jdbcMutableAclService.updateAcl(child);
SecurityContextHolder.getContext().setAuthentication(this.auth);
MutableAcl child = this.jdbcMutableAclService.createAcl(getChildOid());
child.insertAce(0, BasePermission.DELETE, new PrincipalSid(this.auth), false);
this.jdbcMutableAclService.updateAcl(child);
// Remove the child and check all related database rows were removed accordingly
jdbcMutableAclService.deleteAcl(getChildOid(), false);
assertThat(
jdbcTemplate.queryForList(SELECT_ALL_CLASSES,
new Object[] { getTargetClass() })).hasSize(1);
assertThat(jdbcTemplate.queryForList("select * from acl_object_identity")
).isEmpty();
assertThat(jdbcTemplate.queryForList("select * from acl_entry")).isEmpty();
this.jdbcMutableAclService.deleteAcl(getChildOid(), false);
assertThat(this.jdbcTemplate.queryForList(SELECT_ALL_CLASSES, new Object[] { getTargetClass() })).hasSize(1);
assertThat(this.jdbcTemplate.queryForList("select * from acl_object_identity")).isEmpty();
assertThat(this.jdbcTemplate.queryForList("select * from acl_entry")).isEmpty();
// Check the cache
assertThat(aclCache.getFromCache(getChildOid())).isNull();
assertThat(aclCache.getFromCache(102L)).isNull();
assertThat(this.aclCache.getFromCache(getChildOid())).isNull();
assertThat(this.aclCache.getFromCache(102L)).isNull();
}
/** SEC-1107 */
@Test
@Transactional
public void identityWithIntegerIdIsSupportedByCreateAcl() {
SecurityContextHolder.getContext().setAuthentication(auth);
SecurityContextHolder.getContext().setAuthentication(this.auth);
ObjectIdentity oid = new ObjectIdentityImpl(TARGET_CLASS, 101);
jdbcMutableAclService.createAcl(oid);
assertThat(jdbcMutableAclService.readAclById(new ObjectIdentityImpl(
TARGET_CLASS, 101L))).isNotNull();
this.jdbcMutableAclService.createAcl(oid);
assertThat(this.jdbcMutableAclService.readAclById(new ObjectIdentityImpl(TARGET_CLASS, 101L))).isNotNull();
}
/**
@ -449,32 +399,25 @@ public class JdbcMutableAclServiceTests extends
@Test
@Transactional
public void childrenAreClearedFromCacheWhenParentIsUpdated() {
Authentication auth = new TestingAuthenticationToken("ben", "ignored",
"ROLE_ADMINISTRATOR");
Authentication auth = new TestingAuthenticationToken("ben", "ignored", "ROLE_ADMINISTRATOR");
auth.setAuthenticated(true);
SecurityContextHolder.getContext().setAuthentication(auth);
ObjectIdentity parentOid = new ObjectIdentityImpl(TARGET_CLASS, 104L);
ObjectIdentity childOid = new ObjectIdentityImpl(TARGET_CLASS, 105L);
MutableAcl parent = jdbcMutableAclService.createAcl(parentOid);
MutableAcl child = jdbcMutableAclService.createAcl(childOid);
MutableAcl parent = this.jdbcMutableAclService.createAcl(parentOid);
MutableAcl child = this.jdbcMutableAclService.createAcl(childOid);
child.setParent(parent);
jdbcMutableAclService.updateAcl(child);
parent = (AclImpl) jdbcMutableAclService.readAclById(parentOid);
this.jdbcMutableAclService.updateAcl(child);
parent = (AclImpl) this.jdbcMutableAclService.readAclById(parentOid);
parent.insertAce(0, BasePermission.READ, new PrincipalSid("ben"), true);
jdbcMutableAclService.updateAcl(parent);
parent = (AclImpl) jdbcMutableAclService.readAclById(parentOid);
this.jdbcMutableAclService.updateAcl(parent);
parent = (AclImpl) this.jdbcMutableAclService.readAclById(parentOid);
parent.insertAce(1, BasePermission.READ, new PrincipalSid("scott"), true);
jdbcMutableAclService.updateAcl(parent);
child = (MutableAcl) jdbcMutableAclService.readAclById(childOid);
this.jdbcMutableAclService.updateAcl(parent);
child = (MutableAcl) this.jdbcMutableAclService.readAclById(childOid);
parent = (MutableAcl) child.getParentAcl();
assertThat(parent.getEntries()).hasSize(2).withFailMessage("Fails because child has a stale reference to its parent");
assertThat(parent.getEntries()).hasSize(2)
.withFailMessage("Fails because child has a stale reference to its parent");
assertThat(parent.getEntries().get(0).getPermission().getMask()).isEqualTo(1);
assertThat(parent.getEntries().get(0).getSid()).isEqualTo(new PrincipalSid("ben"));
assertThat(parent.getEntries().get(1).getPermission().getMask()).isEqualTo(1);
@ -487,34 +430,22 @@ public class JdbcMutableAclServiceTests extends
@Test
@Transactional
public void childrenAreClearedFromCacheWhenParentisUpdated2() {
Authentication auth = new TestingAuthenticationToken("system", "secret",
"ROLE_IGNORED");
Authentication auth = new TestingAuthenticationToken("system", "secret", "ROLE_IGNORED");
SecurityContextHolder.getContext().setAuthentication(auth);
ObjectIdentityImpl rootObject = new ObjectIdentityImpl(TARGET_CLASS,
1L);
MutableAcl parent = jdbcMutableAclService.createAcl(rootObject);
MutableAcl child = jdbcMutableAclService.createAcl(new ObjectIdentityImpl(
TARGET_CLASS, 2L));
ObjectIdentityImpl rootObject = new ObjectIdentityImpl(TARGET_CLASS, 1L);
MutableAcl parent = this.jdbcMutableAclService.createAcl(rootObject);
MutableAcl child = this.jdbcMutableAclService.createAcl(new ObjectIdentityImpl(TARGET_CLASS, 2L));
child.setParent(parent);
jdbcMutableAclService.updateAcl(child);
parent.insertAce(0, BasePermission.ADMINISTRATION, new GrantedAuthoritySid(
"ROLE_ADMINISTRATOR"), true);
jdbcMutableAclService.updateAcl(parent);
this.jdbcMutableAclService.updateAcl(child);
parent.insertAce(0, BasePermission.ADMINISTRATION, new GrantedAuthoritySid("ROLE_ADMINISTRATOR"), true);
this.jdbcMutableAclService.updateAcl(parent);
parent.insertAce(1, BasePermission.DELETE, new PrincipalSid("terry"), true);
jdbcMutableAclService.updateAcl(parent);
child = (MutableAcl) jdbcMutableAclService.readAclById(new ObjectIdentityImpl(
TARGET_CLASS, 2L));
this.jdbcMutableAclService.updateAcl(parent);
child = (MutableAcl) this.jdbcMutableAclService.readAclById(new ObjectIdentityImpl(TARGET_CLASS, 2L));
parent = (MutableAcl) child.getParentAcl();
assertThat(parent.getEntries()).hasSize(2);
assertThat(parent.getEntries().get(0).getPermission().getMask()).isEqualTo(16);
assertThat(parent.getEntries()
.get(0).getSid()).isEqualTo(new GrantedAuthoritySid("ROLE_ADMINISTRATOR"));
assertThat(parent.getEntries().get(0).getSid()).isEqualTo(new GrantedAuthoritySid("ROLE_ADMINISTRATOR"));
assertThat(parent.getEntries().get(1).getPermission().getMask()).isEqualTo(8);
assertThat(parent.getEntries().get(1).getSid()).isEqualTo(new PrincipalSid("terry"));
}
@ -522,56 +453,50 @@ public class JdbcMutableAclServiceTests extends
@Test
@Transactional
public void cumulativePermissions() {
Authentication auth = new TestingAuthenticationToken("ben", "ignored",
"ROLE_ADMINISTRATOR");
Authentication auth = new TestingAuthenticationToken("ben", "ignored", "ROLE_ADMINISTRATOR");
auth.setAuthenticated(true);
SecurityContextHolder.getContext().setAuthentication(auth);
ObjectIdentity topParentOid = new ObjectIdentityImpl(TARGET_CLASS,
110L);
MutableAcl topParent = jdbcMutableAclService.createAcl(topParentOid);
ObjectIdentity topParentOid = new ObjectIdentityImpl(TARGET_CLASS, 110L);
MutableAcl topParent = this.jdbcMutableAclService.createAcl(topParentOid);
// Add an ACE permission entry
Permission cm = new CumulativePermission().set(BasePermission.READ).set(
BasePermission.ADMINISTRATION);
Permission cm = new CumulativePermission().set(BasePermission.READ).set(BasePermission.ADMINISTRATION);
assertThat(cm.getMask()).isEqualTo(17);
Sid benSid = new PrincipalSid(auth);
topParent.insertAce(0, cm, benSid, true);
assertThat(topParent.getEntries()).hasSize(1);
// Explicitly save the changed ACL
topParent = jdbcMutableAclService.updateAcl(topParent);
topParent = this.jdbcMutableAclService.updateAcl(topParent);
// Check the mask was retrieved correctly
assertThat(topParent.getEntries().get(0).getPermission().getMask()).isEqualTo(17);
assertThat(topParent.isGranted(Arrays.asList(cm), Arrays.asList(benSid), true)).isTrue();
SecurityContextHolder.clearContext();
}
@Test
public void testProcessingCustomSid() {
CustomJdbcMutableAclService customJdbcMutableAclService = spy(new CustomJdbcMutableAclService(
dataSource, lookupStrategy, aclCache));
CustomJdbcMutableAclService customJdbcMutableAclService = spy(
new CustomJdbcMutableAclService(this.dataSource, this.lookupStrategy, this.aclCache));
CustomSid customSid = new CustomSid("Custom sid");
when(
customJdbcMutableAclService.createOrRetrieveSidPrimaryKey("Custom sid",
false, false)).thenReturn(1L);
Long result = customJdbcMutableAclService.createOrRetrieveSidPrimaryKey(
customSid, false);
given(customJdbcMutableAclService.createOrRetrieveSidPrimaryKey("Custom sid", false, false)).willReturn(1L);
Long result = customJdbcMutableAclService.createOrRetrieveSidPrimaryKey(customSid, false);
assertThat(new Long(1L)).isEqualTo(result);
}
protected Authentication getAuth() {
return this.auth;
}
protected JdbcMutableAclService getJdbcMutableAclService() {
return this.jdbcMutableAclService;
}
/**
* This class needed to show how to extend {@link JdbcMutableAclService} for
* processing custom {@link Sid} implementations
*/
private class CustomJdbcMutableAclService extends JdbcMutableAclService {
private CustomJdbcMutableAclService(DataSource dataSource,
LookupStrategy lookupStrategy, AclCache aclCache) {
CustomJdbcMutableAclService(DataSource dataSource, LookupStrategy lookupStrategy, AclCache aclCache) {
super(dataSource, lookupStrategy, aclCache);
}
@ -591,13 +516,7 @@ public class JdbcMutableAclServiceTests extends
}
return createOrRetrieveSidPrimaryKey(sidName, isPrincipal, allowCreate);
}
}
protected Authentication getAuth() {
return auth;
}
protected JdbcMutableAclService getJdbcMutableAclService() {
return jdbcMutableAclService;
}
}

36
acl/src/test/java/org/springframework/security/acls/jdbc/JdbcMutableAclServiceTestsWithAclClassId.java
View File

@ -13,13 +13,13 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.jdbc;
import static org.assertj.core.api.Assertions.assertThat;
package org.springframework.security.acls.jdbc;
import java.util.UUID;
import org.junit.Test;
import org.springframework.security.acls.TargetObjectWithUUID;
import org.springframework.security.acls.domain.ObjectIdentityImpl;
import org.springframework.security.acls.model.ObjectIdentity;
@ -27,21 +27,24 @@ import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.test.context.ContextConfiguration;
import org.springframework.transaction.annotation.Transactional;
import static org.assertj.core.api.Assertions.assertThat;
/**
* Integration tests the ACL system using ACL class id type of UUID and using an in-memory database.
* Integration tests the ACL system using ACL class id type of UUID and using an in-memory
* database.
*
* @author Paul Wheeler
*/
@ContextConfiguration(locations = {"/jdbcMutableAclServiceTestsWithAclClass-context.xml"})
@ContextConfiguration(locations = { "/jdbcMutableAclServiceTestsWithAclClass-context.xml" })
public class JdbcMutableAclServiceTestsWithAclClassId extends JdbcMutableAclServiceTests {
private static final String TARGET_CLASS_WITH_UUID = TargetObjectWithUUID.class.getName();
private final ObjectIdentity topParentOid = new ObjectIdentityImpl(TARGET_CLASS_WITH_UUID,
UUID.randomUUID());
private final ObjectIdentity middleParentOid = new ObjectIdentityImpl(TARGET_CLASS_WITH_UUID,
UUID.randomUUID());
private final ObjectIdentity childOid = new ObjectIdentityImpl(TARGET_CLASS_WITH_UUID,
UUID.randomUUID());
private final ObjectIdentity topParentOid = new ObjectIdentityImpl(TARGET_CLASS_WITH_UUID, UUID.randomUUID());
private final ObjectIdentity middleParentOid = new ObjectIdentityImpl(TARGET_CLASS_WITH_UUID, UUID.randomUUID());
private final ObjectIdentity childOid = new ObjectIdentityImpl(TARGET_CLASS_WITH_UUID, UUID.randomUUID());
@Override
protected String getSqlClassPathResource() {
@ -50,17 +53,17 @@ public class JdbcMutableAclServiceTestsWithAclClassId extends JdbcMutableAclServ
@Override
protected ObjectIdentity getTopParentOid() {
return topParentOid;
return this.topParentOid;
}
@Override
protected ObjectIdentity getMiddleParentOid() {
return middleParentOid;
return this.middleParentOid;
}
@Override
protected ObjectIdentity getChildOid() {
return childOid;
return this.childOid;
}
@Override
@ -72,12 +75,11 @@ public class JdbcMutableAclServiceTestsWithAclClassId extends JdbcMutableAclServ
@Transactional
public void identityWithUuidIdIsSupportedByCreateAcl() {
SecurityContextHolder.getContext().setAuthentication(getAuth());
UUID id = UUID.randomUUID();
ObjectIdentity oid = new ObjectIdentityImpl(TARGET_CLASS_WITH_UUID, id);
getJdbcMutableAclService().createAcl(oid);
assertThat(getJdbcMutableAclService().readAclById(new ObjectIdentityImpl(
TARGET_CLASS_WITH_UUID, id))).isNotNull();
assertThat(getJdbcMutableAclService().readAclById(new ObjectIdentityImpl(TARGET_CLASS_WITH_UUID, id)))
.isNotNull();
}
}

84
acl/src/test/java/org/springframework/security/acls/jdbc/SpringCacheBasedAclCacheTests.java
View File

@ -13,15 +13,26 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.jdbc;
import java.util.Map;
import org.junit.After;
import org.junit.BeforeClass;
import org.junit.Test;
import org.springframework.cache.Cache;
import org.springframework.cache.CacheManager;
import org.springframework.cache.concurrent.ConcurrentMapCacheManager;
import org.springframework.security.acls.domain.*;
import org.springframework.security.acls.domain.AclAuthorizationStrategy;
import org.springframework.security.acls.domain.AclAuthorizationStrategyImpl;
import org.springframework.security.acls.domain.AclImpl;
import org.springframework.security.acls.domain.AuditLogger;
import org.springframework.security.acls.domain.ConsoleAuditLogger;
import org.springframework.security.acls.domain.DefaultPermissionGrantingStrategy;
import org.springframework.security.acls.domain.ObjectIdentityImpl;
import org.springframework.security.acls.domain.SpringCacheBasedAclCache;
import org.springframework.security.acls.model.MutableAcl;
import org.springframework.security.acls.model.ObjectIdentity;
import org.springframework.security.acls.model.PermissionGrantingStrategy;
@ -31,9 +42,7 @@ import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.util.FieldUtils;
import java.util.Map;
import static org.assertj.core.api.Assertions.*;
import static org.assertj.core.api.Assertions.assertThat;
/**
* Tests {@link org.springframework.security.acls.domain.SpringCacheBasedAclCache}
@ -41,6 +50,7 @@ import static org.assertj.core.api.Assertions.*;
* @author Marten Deinum
*/
public class SpringCacheBasedAclCacheTests {
private static final String TARGET_CLASS = "org.springframework.security.acls.TargetObject";
private static CacheManager cacheManager;
@ -76,43 +86,31 @@ public class SpringCacheBasedAclCacheTests {
Map realCache = (Map) cache.getNativeCache();
ObjectIdentity identity = new ObjectIdentityImpl(TARGET_CLASS, 100L);
AclAuthorizationStrategy aclAuthorizationStrategy = new AclAuthorizationStrategyImpl(
new SimpleGrantedAuthority("ROLE_OWNERSHIP"), new SimpleGrantedAuthority(
"ROLE_AUDITING"), new SimpleGrantedAuthority("ROLE_GENERAL"));
new SimpleGrantedAuthority("ROLE_OWNERSHIP"), new SimpleGrantedAuthority("ROLE_AUDITING"),
new SimpleGrantedAuthority("ROLE_GENERAL"));
AuditLogger auditLogger = new ConsoleAuditLogger();
PermissionGrantingStrategy permissionGrantingStrategy = new DefaultPermissionGrantingStrategy(
auditLogger);
SpringCacheBasedAclCache myCache = new SpringCacheBasedAclCache(cache,
permissionGrantingStrategy, aclAuthorizationStrategy);
MutableAcl acl = new AclImpl(identity, 1L, aclAuthorizationStrategy,
auditLogger);
PermissionGrantingStrategy permissionGrantingStrategy = new DefaultPermissionGrantingStrategy(auditLogger);
SpringCacheBasedAclCache myCache = new SpringCacheBasedAclCache(cache, permissionGrantingStrategy,
aclAuthorizationStrategy);
MutableAcl acl = new AclImpl(identity, 1L, aclAuthorizationStrategy, auditLogger);
assertThat(realCache).isEmpty();
myCache.putInCache(acl);
// Check we can get from cache the same objects we put in
assertThat(acl).isEqualTo(myCache.getFromCache(1L));
assertThat(acl).isEqualTo(myCache.getFromCache(identity));
// Put another object in cache
ObjectIdentity identity2 = new ObjectIdentityImpl(TARGET_CLASS, 101L);
MutableAcl acl2 = new AclImpl(identity2, 2L,
aclAuthorizationStrategy, new ConsoleAuditLogger());
MutableAcl acl2 = new AclImpl(identity2, 2L, aclAuthorizationStrategy, new ConsoleAuditLogger());
myCache.putInCache(acl2);
// Try to evict an entry that doesn't exist
myCache.evictFromCache(3L);
myCache.evictFromCache(new ObjectIdentityImpl(TARGET_CLASS, 102L));
assertThat(realCache).hasSize(4);
myCache.evictFromCache(1L);
assertThat(realCache).hasSize(2);
// Check the second object inserted
assertThat(acl2).isEqualTo(myCache.getFromCache(2L));
assertThat(acl2).isEqualTo(myCache.getFromCache(identity2));
myCache.evictFromCache(identity2);
assertThat(realCache).isEmpty();
}
@ -122,50 +120,36 @@ public class SpringCacheBasedAclCacheTests {
public void cacheOperationsAclWithParent() throws Exception {
Cache cache = getCache();
Map realCache = (Map) cache.getNativeCache();
Authentication auth = new TestingAuthenticationToken("user", "password",
"ROLE_GENERAL");
Authentication auth = new TestingAuthenticationToken("user", "password", "ROLE_GENERAL");
auth.setAuthenticated(true);
SecurityContextHolder.getContext().setAuthentication(auth);
ObjectIdentity identity = new ObjectIdentityImpl(TARGET_CLASS, 1L);
ObjectIdentity identityParent = new ObjectIdentityImpl(TARGET_CLASS,
2L);
ObjectIdentity identityParent = new ObjectIdentityImpl(TARGET_CLASS, 2L);
AclAuthorizationStrategy aclAuthorizationStrategy = new AclAuthorizationStrategyImpl(
new SimpleGrantedAuthority("ROLE_OWNERSHIP"), new SimpleGrantedAuthority(
"ROLE_AUDITING"), new SimpleGrantedAuthority("ROLE_GENERAL"));
new SimpleGrantedAuthority("ROLE_OWNERSHIP"), new SimpleGrantedAuthority("ROLE_AUDITING"),
new SimpleGrantedAuthority("ROLE_GENERAL"));
AuditLogger auditLogger = new ConsoleAuditLogger();
PermissionGrantingStrategy permissionGrantingStrategy = new DefaultPermissionGrantingStrategy(
auditLogger);
SpringCacheBasedAclCache myCache = new SpringCacheBasedAclCache(cache,
permissionGrantingStrategy, aclAuthorizationStrategy);
MutableAcl acl = new AclImpl(identity, 1L, aclAuthorizationStrategy,
auditLogger);
MutableAcl parentAcl = new AclImpl(identityParent, 2L,
aclAuthorizationStrategy, auditLogger);
PermissionGrantingStrategy permissionGrantingStrategy = new DefaultPermissionGrantingStrategy(auditLogger);
SpringCacheBasedAclCache myCache = new SpringCacheBasedAclCache(cache, permissionGrantingStrategy,
aclAuthorizationStrategy);
MutableAcl acl = new AclImpl(identity, 1L, aclAuthorizationStrategy, auditLogger);
MutableAcl parentAcl = new AclImpl(identityParent, 2L, aclAuthorizationStrategy, auditLogger);
acl.setParent(parentAcl);
assertThat(realCache).isEmpty();
myCache.putInCache(acl);
assertThat(4).isEqualTo(realCache.size());
// Check we can get from cache the same objects we put in
AclImpl aclFromCache = (AclImpl) myCache.getFromCache(1L);
assertThat(aclFromCache).isEqualTo(acl);
// SEC-951 check transient fields are set on parent
assertThat(FieldUtils.getFieldValue(aclFromCache.getParentAcl(),
"aclAuthorizationStrategy")).isNotNull();
assertThat(FieldUtils.getFieldValue(aclFromCache.getParentAcl(),
"permissionGrantingStrategy")).isNotNull();
assertThat(FieldUtils.getFieldValue(aclFromCache.getParentAcl(), "aclAuthorizationStrategy")).isNotNull();
assertThat(FieldUtils.getFieldValue(aclFromCache.getParentAcl(), "permissionGrantingStrategy")).isNotNull();
assertThat(myCache.getFromCache(identity)).isEqualTo(acl);
assertThat(FieldUtils.getFieldValue(aclFromCache, "aclAuthorizationStrategy")).isNotNull();
AclImpl parentAclFromCache = (AclImpl) myCache.getFromCache(2L);
assertThat(parentAclFromCache).isEqualTo(parentAcl);
assertThat(FieldUtils.getFieldValue(parentAclFromCache,
"aclAuthorizationStrategy")).isNotNull();
assertThat(FieldUtils.getFieldValue(parentAclFromCache, "aclAuthorizationStrategy")).isNotNull();
assertThat(myCache.getFromCache(identityParent)).isEqualTo(parentAcl);
}
}

5
acl/src/test/java/org/springframework/security/acls/sid/CustomSid.java
View File

@ -13,12 +13,14 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.sid;
import org.springframework.security.acls.model.Sid;
/**
* This class is example of custom {@link Sid} implementation
*
* @author Mikhail Stryzhonok
*/
public class CustomSid implements Sid {
@ -30,10 +32,11 @@ public class CustomSid implements Sid {
}
public String getSid() {
return sid;
return this.sid;
}
public void setSid(String sid) {
this.sid = sid;
}
}

27
acl/src/test/java/org/springframework/security/acls/sid/SidRetrievalStrategyTests.java
View File

@ -13,14 +13,13 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.sid;
import static org.assertj.core.api.Assertions.*;
import static org.mockito.Mockito.*;
package org.springframework.security.acls.sid;
import java.util.List;
import org.junit.Test;
import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
import org.springframework.security.acls.domain.GrantedAuthoritySid;
import org.springframework.security.acls.domain.PrincipalSid;
@ -31,6 +30,11 @@ import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.AuthorityUtils;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.ArgumentMatchers.anyCollection;
import static org.mockito.BDDMockito.given;
import static org.mockito.Mockito.mock;
/**
* Tests for {@link SidRetrievalStrategyImpl}
*
@ -39,26 +43,20 @@ import org.springframework.security.core.authority.AuthorityUtils;
*/
@SuppressWarnings("unchecked")
public class SidRetrievalStrategyTests {
Authentication authentication = new TestingAuthenticationToken("scott", "password",
"A", "B", "C");
// ~ Methods
// ========================================================================================================
Authentication authentication = new TestingAuthenticationToken("scott", "password", "A", "B", "C");
@Test
public void correctSidsAreRetrieved() {
SidRetrievalStrategy retrStrategy = new SidRetrievalStrategyImpl();
List<Sid> sids = retrStrategy.getSids(authentication);
List<Sid> sids = retrStrategy.getSids(this.authentication);
assertThat(sids).isNotNull();
assertThat(sids).hasSize(4);
assertThat(sids.get(0)).isNotNull();
assertThat(sids.get(0) instanceof PrincipalSid).isTrue();
for (int i = 1; i < sids.size(); i++) {
assertThat(sids.get(i) instanceof GrantedAuthoritySid).isTrue();
}
assertThat(((PrincipalSid) sids.get(0)).getPrincipal()).isEqualTo("scott");
assertThat(((GrantedAuthoritySid) sids.get(1)).getGrantedAuthority()).isEqualTo("A");
assertThat(((GrantedAuthoritySid) sids.get(2)).getGrantedAuthority()).isEqualTo("B");
@ -69,14 +67,13 @@ public class SidRetrievalStrategyTests {
public void roleHierarchyIsUsedWhenSet() {
RoleHierarchy rh = mock(RoleHierarchy.class);
List rhAuthorities = AuthorityUtils.createAuthorityList("D");
when(rh.getReachableGrantedAuthorities(anyCollection()))
.thenReturn(rhAuthorities);
given(rh.getReachableGrantedAuthorities(anyCollection())).willReturn(rhAuthorities);
SidRetrievalStrategy strat = new SidRetrievalStrategyImpl(rh);
List<Sid> sids = strat.getSids(authentication);
List<Sid> sids = strat.getSids(this.authentication);
assertThat(sids).hasSize(2);
assertThat(sids.get(0)).isNotNull();
assertThat(sids.get(0) instanceof PrincipalSid).isTrue();
assertThat(((GrantedAuthoritySid) sids.get(1)).getGrantedAuthority()).isEqualTo("D");
}
}

93
acl/src/test/java/org/springframework/security/acls/sid/SidTests.java
View File

@ -13,12 +13,14 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.acls.sid;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.fail;
import java.util.Collection;
import java.util.Collections;
import org.junit.Test;
import org.springframework.security.acls.domain.GrantedAuthoritySid;
import org.springframework.security.acls.domain.PrincipalSid;
import org.springframework.security.acls.model.Sid;
@ -29,13 +31,11 @@ import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import java.util.Collection;
import java.util.Collections;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.fail;
public class SidTests {
// ~ Methods
// ========================================================================================================
@Test
public void testPrincipalSidConstructorsRequiredFields() {
// Check one String-argument constructor
@ -46,17 +46,14 @@ public class SidTests {
}
catch (IllegalArgumentException expected) {
}
try {
new PrincipalSid("");
fail("It should have thrown IllegalArgumentException");
}
catch (IllegalArgumentException expected) {
}
new PrincipalSid("johndoe");
// throws no exception
// Check one Authentication-argument constructor
try {
Authentication authentication = null;
@ -65,18 +62,14 @@ public class SidTests {
}
catch (IllegalArgumentException expected) {
}
try {
Authentication authentication = new TestingAuthenticationToken(null,
"password");
Authentication authentication = new TestingAuthenticationToken(null, "password");
new PrincipalSid(authentication);
fail("It should have thrown IllegalArgumentException");
}
catch (IllegalArgumentException expected) {
}
Authentication authentication = new TestingAuthenticationToken("johndoe",
"password");
Authentication authentication = new TestingAuthenticationToken("johndoe", "password");
new PrincipalSid(authentication);
// throws no exception
}
@ -90,25 +83,19 @@ public class SidTests {
fail("It should have thrown IllegalArgumentException");
}
catch (IllegalArgumentException expected) {
}
try {
new GrantedAuthoritySid("");
fail("It should have thrown IllegalArgumentException");
}
catch (IllegalArgumentException expected) {
}
try {
new GrantedAuthoritySid("ROLE_TEST");
}
catch (IllegalArgumentException notExpected) {
fail("It shouldn't have thrown IllegalArgumentException");
}
// Check one GrantedAuthority-argument constructor
try {
GrantedAuthority ga = null;
@ -116,22 +103,17 @@ public class SidTests {
fail("It should have thrown IllegalArgumentException");
}
catch (IllegalArgumentException expected) {
}
try {
GrantedAuthority ga = new SimpleGrantedAuthority(null);
new GrantedAuthoritySid(ga);
fail("It should have thrown IllegalArgumentException");
}
catch (IllegalArgumentException expected) {
}
try {
GrantedAuthority ga = new SimpleGrantedAuthority("ROLE_TEST");
new GrantedAuthoritySid(ga);
}
catch (IllegalArgumentException notExpected) {
fail("It shouldn't have thrown IllegalArgumentException");
@ -140,18 +122,14 @@ public class SidTests {
@Test
public void testPrincipalSidEquals() {
Authentication authentication = new TestingAuthenticationToken("johndoe",
"password");
Authentication authentication = new TestingAuthenticationToken("johndoe", "password");
Sid principalSid = new PrincipalSid(authentication);
assertThat(principalSid.equals(null)).isFalse();
assertThat(principalSid.equals("DIFFERENT_TYPE_OBJECT")).isFalse();
assertThat(principalSid.equals(principalSid)).isTrue();
assertThat(principalSid.equals(new PrincipalSid(authentication))).isTrue();
assertThat(principalSid.equals(new PrincipalSid(
new TestingAuthenticationToken("johndoe", null)))).isTrue();
assertThat(principalSid.equals(new PrincipalSid(
new TestingAuthenticationToken("scott", null)))).isFalse();
assertThat(principalSid.equals(new PrincipalSid(new TestingAuthenticationToken("johndoe", null)))).isTrue();
assertThat(principalSid.equals(new PrincipalSid(new TestingAuthenticationToken("scott", null)))).isFalse();
assertThat(principalSid.equals(new PrincipalSid("johndoe"))).isTrue();
assertThat(principalSid.equals(new PrincipalSid("scott"))).isFalse();
}
@ -160,59 +138,46 @@ public class SidTests {
public void testGrantedAuthoritySidEquals() {
GrantedAuthority ga = new SimpleGrantedAuthority("ROLE_TEST");
Sid gaSid = new GrantedAuthoritySid(ga);
assertThat(gaSid.equals(null)).isFalse();
assertThat(gaSid.equals("DIFFERENT_TYPE_OBJECT")).isFalse();
assertThat(gaSid.equals(gaSid)).isTrue();
assertThat(gaSid.equals(new GrantedAuthoritySid(ga))).isTrue();
assertThat(gaSid.equals(new GrantedAuthoritySid(
new SimpleGrantedAuthority("ROLE_TEST")))).isTrue();
assertThat(gaSid.equals(new GrantedAuthoritySid(
new SimpleGrantedAuthority("ROLE_NOT_EQUAL")))).isFalse();
assertThat(gaSid.equals(new GrantedAuthoritySid(new SimpleGrantedAuthority("ROLE_TEST")))).isTrue();
assertThat(gaSid.equals(new GrantedAuthoritySid(new SimpleGrantedAuthority("ROLE_NOT_EQUAL")))).isFalse();
assertThat(gaSid.equals(new GrantedAuthoritySid("ROLE_TEST"))).isTrue();
assertThat(gaSid.equals(new GrantedAuthoritySid("ROLE_NOT_EQUAL"))).isFalse();
}
@Test
public void testPrincipalSidHashCode() {
Authentication authentication = new TestingAuthenticationToken("johndoe",
"password");
Authentication authentication = new TestingAuthenticationToken("johndoe", "password");
Sid principalSid = new PrincipalSid(authentication);
assertThat(principalSid.hashCode()).isEqualTo("johndoe".hashCode());
assertThat(principalSid.hashCode()).isEqualTo(
new PrincipalSid("johndoe").hashCode());
assertThat(principalSid.hashCode()).isNotEqualTo(
new PrincipalSid("scott").hashCode());
assertThat(principalSid.hashCode()).isNotEqualTo(new PrincipalSid(
new TestingAuthenticationToken("scott", "password")).hashCode());
assertThat(principalSid.hashCode()).isEqualTo(new PrincipalSid("johndoe").hashCode());
assertThat(principalSid.hashCode()).isNotEqualTo(new PrincipalSid("scott").hashCode());
assertThat(principalSid.hashCode())
.isNotEqualTo(new PrincipalSid(new TestingAuthenticationToken("scott", "password")).hashCode());
}
@Test
public void testGrantedAuthoritySidHashCode() {
GrantedAuthority ga = new SimpleGrantedAuthority("ROLE_TEST");
Sid gaSid = new GrantedAuthoritySid(ga);
assertThat(gaSid.hashCode()).isEqualTo("ROLE_TEST".hashCode());
assertThat(gaSid.hashCode()).isEqualTo(
new GrantedAuthoritySid("ROLE_TEST").hashCode());
assertThat(gaSid.hashCode()).isNotEqualTo(
new GrantedAuthoritySid("ROLE_TEST_2").hashCode());
assertThat(gaSid.hashCode()).isNotEqualTo(new GrantedAuthoritySid(
new SimpleGrantedAuthority("ROLE_TEST_2")).hashCode());
assertThat(gaSid.hashCode()).isEqualTo(new GrantedAuthoritySid("ROLE_TEST").hashCode());
assertThat(gaSid.hashCode()).isNotEqualTo(new GrantedAuthoritySid("ROLE_TEST_2").hashCode());
assertThat(gaSid.hashCode())
.isNotEqualTo(new GrantedAuthoritySid(new SimpleGrantedAuthority("ROLE_TEST_2")).hashCode());
}
@Test
public void testGetters() {
Authentication authentication = new TestingAuthenticationToken("johndoe",
"password");
Authentication authentication = new TestingAuthenticationToken("johndoe", "password");
PrincipalSid principalSid = new PrincipalSid(authentication);
GrantedAuthority ga = new SimpleGrantedAuthority("ROLE_TEST");
GrantedAuthoritySid gaSid = new GrantedAuthoritySid(ga);
assertThat("johndoe".equals(principalSid.getPrincipal())).isTrue();
assertThat("scott".equals(principalSid.getPrincipal())).isFalse();
assertThat("ROLE_TEST".equals(gaSid.getGrantedAuthority())).isTrue();
assertThat("ROLE_TEST2".equals(gaSid.getGrantedAuthority())).isFalse();
}
@ -222,7 +187,6 @@ public class SidTests {
User user = new User("user", "password", Collections.singletonList(new SimpleGrantedAuthority("ROLE_TEST")));
Authentication authentication = new TestingAuthenticationToken(user, "password");
PrincipalSid principalSid = new PrincipalSid(authentication);
assertThat("user").isEqualTo(principalSid.getPrincipal());
}
@ -230,7 +194,6 @@ public class SidTests {
public void getPrincipalWhenPrincipalNotInstanceOfUserDetailsThenReturnsPrincipalName() {
Authentication authentication = new TestingAuthenticationToken("token", "password");
PrincipalSid principalSid = new PrincipalSid(authentication);
assertThat("token").isEqualTo(principalSid.getPrincipal());
}
@ -238,11 +201,11 @@ public class SidTests {
public void getPrincipalWhenCustomAuthenticationPrincipalThenReturnsPrincipalName() {
Authentication authentication = new CustomAuthenticationToken(new CustomToken("token"), null);
PrincipalSid principalSid = new PrincipalSid(authentication);
assertThat("token").isEqualTo(principalSid.getPrincipal());
}
static class CustomAuthenticationToken extends AbstractAuthenticationToken {
private CustomToken principal;
CustomAuthenticationToken(CustomToken principal, Collection<GrantedAuthority> authorities) {
@ -262,11 +225,13 @@ public class SidTests {
@Override
public String getName() {
return principal.getName();
return this.principal.getName();
}
}
static class CustomToken {
private String name;
CustomToken(String name) {
@ -274,7 +239,9 @@ public class SidTests {
}
String getName() {
return name;
return this.name;
}
}
}

195
aspects/src/test/java/org/springframework/security/access/intercept/aspectj/aspect/AnnotationSecurityAspectTests.java
View File

@ -13,9 +13,8 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.access.intercept.aspectj.aspect;
import static org.assertj.core.api.Assertions.*;
package org.springframework.security.access.intercept.aspectj.aspect;
import java.util.ArrayList;
import java.util.Arrays;
@ -49,39 +48,44 @@ import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.fail;
/**
*
* @author Luke Taylor
* @since 3.0.3
*/
public class AnnotationSecurityAspectTests {
private AffirmativeBased adm;
private @Mock AuthenticationManager authman;
private TestingAuthenticationToken anne = new TestingAuthenticationToken("anne", "",
"ROLE_A");
@Mock
private AuthenticationManager authman;
private TestingAuthenticationToken anne = new TestingAuthenticationToken("anne", "", "ROLE_A");
// private TestingAuthenticationToken bob = new TestingAuthenticationToken("bob", "",
// "ROLE_B");
private AspectJMethodSecurityInterceptor interceptor;
private SecuredImpl secured = new SecuredImpl();
private SecuredImplSubclass securedSub = new SecuredImplSubclass();
private PrePostSecured prePostSecured = new PrePostSecured();
@Before
public final void setUp() {
MockitoAnnotations.initMocks(this);
interceptor = new AspectJMethodSecurityInterceptor();
AccessDecisionVoter[] voters = new AccessDecisionVoter[] {
new RoleVoter(),
new PreInvocationAuthorizationAdviceVoter(
new ExpressionBasedPreInvocationAdvice()) };
adm = new AffirmativeBased(
Arrays.<AccessDecisionVoter<? extends Object>> asList(voters));
interceptor.setAccessDecisionManager(adm);
interceptor.setAuthenticationManager(authman);
interceptor
.setSecurityMetadataSource(new SecuredAnnotationSecurityMetadataSource());
this.interceptor = new AspectJMethodSecurityInterceptor();
AccessDecisionVoter[] voters = new AccessDecisionVoter[] { new RoleVoter(),
new PreInvocationAuthorizationAdviceVoter(new ExpressionBasedPreInvocationAdvice()) };
this.adm = new AffirmativeBased(Arrays.<AccessDecisionVoter<? extends Object>>asList(voters));
this.interceptor.setAccessDecisionManager(this.adm);
this.interceptor.setAuthenticationManager(this.authman);
this.interceptor.setSecurityMetadataSource(new SecuredAnnotationSecurityMetadataSource());
AnnotationSecurityAspect secAspect = AnnotationSecurityAspect.aspectOf();
secAspect.setSecurityInterceptor(interceptor);
secAspect.setSecurityInterceptor(this.interceptor);
}
@After
@ -91,59 +95,57 @@ public class AnnotationSecurityAspectTests {
@Test
public void securedInterfaceMethodAllowsAllAccess() {
secured.securedMethod();
this.secured.securedMethod();
}
@Test(expected = AuthenticationCredentialsNotFoundException.class)
public void securedClassMethodDeniesUnauthenticatedAccess() {
secured.securedClassMethod();
this.secured.securedClassMethod();
}
@Test
public void securedClassMethodAllowsAccessToRoleA() {
SecurityContextHolder.getContext().setAuthentication(anne);
secured.securedClassMethod();
SecurityContextHolder.getContext().setAuthentication(this.anne);
this.secured.securedClassMethod();
}
@Test(expected = AccessDeniedException.class)
public void internalPrivateCallIsIntercepted() {
SecurityContextHolder.getContext().setAuthentication(anne);
SecurityContextHolder.getContext().setAuthentication(this.anne);
try {
secured.publicCallsPrivate();
this.secured.publicCallsPrivate();
fail("Expected AccessDeniedException");
}
catch (AccessDeniedException expected) {
}
securedSub.publicCallsPrivate();
this.securedSub.publicCallsPrivate();
}
@Test(expected = AccessDeniedException.class)
public void protectedMethodIsIntercepted() {
SecurityContextHolder.getContext().setAuthentication(anne);
secured.protectedMethod();
SecurityContextHolder.getContext().setAuthentication(this.anne);
this.secured.protectedMethod();
}
@Test
public void overriddenProtectedMethodIsNotIntercepted() {
// AspectJ doesn't inherit annotations
securedSub.protectedMethod();
this.securedSub.protectedMethod();
}
// SEC-1262
@Test(expected = AccessDeniedException.class)
public void denyAllPreAuthorizeDeniesAccess() {
configureForElAnnotations();
SecurityContextHolder.getContext().setAuthentication(anne);
prePostSecured.denyAllMethod();
SecurityContextHolder.getContext().setAuthentication(this.anne);
this.prePostSecured.denyAllMethod();
}
@Test
public void postFilterIsApplied() {
configureForElAnnotations();
SecurityContextHolder.getContext().setAuthentication(anne);
List<String> objects = prePostSecured.postFilterMethod();
SecurityContextHolder.getContext().setAuthentication(this.anne);
List<String> objects = this.prePostSecured.postFilterMethod();
assertThat(objects).hasSize(2);
assertThat(objects.contains("apple")).isTrue();
assertThat(objects.contains("aubergine")).isTrue();
@ -151,64 +153,73 @@ public class AnnotationSecurityAspectTests {
private void configureForElAnnotations() {
DefaultMethodSecurityExpressionHandler eh = new DefaultMethodSecurityExpressionHandler();
interceptor
.setSecurityMetadataSource(new PrePostAnnotationSecurityMetadataSource(
new ExpressionBasedAnnotationAttributeFactory(eh)));
interceptor.setAccessDecisionManager(adm);
this.interceptor.setSecurityMetadataSource(
new PrePostAnnotationSecurityMetadataSource(new ExpressionBasedAnnotationAttributeFactory(eh)));
this.interceptor.setAccessDecisionManager(this.adm);
AfterInvocationProviderManager aim = new AfterInvocationProviderManager();
aim.setProviders(Arrays.asList(new PostInvocationAdviceProvider(
new ExpressionBasedPostInvocationAdvice(eh))));
interceptor.setAfterInvocationManager(aim);
}
}
interface SecuredInterface {
@Secured("ROLE_X")
void securedMethod();
}
class SecuredImpl implements SecuredInterface {
// Not really secured because AspectJ doesn't inherit annotations from interfaces
public void securedMethod() {
}
@Secured("ROLE_A")
public void securedClassMethod() {
}
@Secured("ROLE_X")
private void privateMethod() {
}
@Secured("ROLE_X")
protected void protectedMethod() {
}
@Secured("ROLE_X")
public void publicCallsPrivate() {
privateMethod();
}
}
class SecuredImplSubclass extends SecuredImpl {
protected void protectedMethod() {
}
public void publicCallsPrivate() {
super.publicCallsPrivate();
}
}
class PrePostSecured {
@PreAuthorize("denyAll")
public void denyAllMethod() {
}
@PostFilter("filterObject.startsWith('a')")
public List<String> postFilterMethod() {
ArrayList<String> objects = new ArrayList<>();
objects.addAll(Arrays.asList(new String[] { "apple", "banana", "aubergine",
"orange" }));
return objects;
aim.setProviders(Arrays.asList(new PostInvocationAdviceProvider(new ExpressionBasedPostInvocationAdvice(eh))));
this.interceptor.setAfterInvocationManager(aim);
}
interface SecuredInterface {
@Secured("ROLE_X")
void securedMethod();
}
static class SecuredImpl implements SecuredInterface {
// Not really secured because AspectJ doesn't inherit annotations from interfaces
@Override
public void securedMethod() {
}
@Secured("ROLE_A")
public void securedClassMethod() {
}
@Secured("ROLE_X")
private void privateMethod() {
}
@Secured("ROLE_X")
protected void protectedMethod() {
}
@Secured("ROLE_X")
public void publicCallsPrivate() {
privateMethod();
}
}
static class SecuredImplSubclass extends SecuredImpl {
@Override
protected void protectedMethod() {
}
@Override
public void publicCallsPrivate() {
super.publicCallsPrivate();
}
}
static class PrePostSecured {
@PreAuthorize("denyAll")
public void denyAllMethod() {
}
@PostFilter("filterObject.startsWith('a')")
public List<String> postFilterMethod() {
ArrayList<String> objects = new ArrayList<>();
objects.addAll(Arrays.asList(new String[] { "apple", "banana", "aubergine", "orange" }));
return objects;
}
}
}

26
build.gradle
View File

@ -1,6 +1,7 @@
buildscript {
dependencies {
classpath 'io.spring.gradle:spring-build-conventions:0.0.33.RELEASE'
classpath "io.spring.javaformat:spring-javaformat-gradle-plugin:$springJavaformatVersion"
classpath "org.springframework.boot:spring-boot-gradle-plugin:$springBootVersion"
classpath 'io.spring.nohttp:nohttp-gradle:0.0.5.RELEASE'
classpath "io.freefair.gradle:aspectj-plugin:5.0.1"
@ -34,12 +35,35 @@ subprojects {
plugins.withType(JavaPlugin) {
project.sourceCompatibility='1.8'
}
tasks.withType(JavaCompile) {
options.encoding = "UTF-8"
}
}
allprojects {
apply plugin: 'io.spring.javaformat'
apply plugin: 'checkstyle'
pluginManager.withPlugin("io.spring.convention.checkstyle", { plugin ->
configure(plugin) {
dependencies {
checkstyle "io.spring.javaformat:spring-javaformat-checkstyle:$springJavaformatVersion"
}
checkstyle {
toolVersion = '8.34'
}
}
})
if (project.name.contains('sample')) {
tasks.whenTaskAdded { task ->
if (task.name.contains('format') || task.name.contains('checkFormat') || task.name.contains("checkstyle")) {
task.enabled = false
}
}
}
}
nohttp {
allowlistFile = project.file("etc/nohttp/allowlist.lines")
}

2
buildSrc/src/main/java/lock/GlobalLockPlugin.java
View File

@ -9,7 +9,7 @@ import org.gradle.api.Project;
public class GlobalLockPlugin implements Plugin<Project> {
@Override
public void apply(Project project) {
project.getTasks().register("writeLocks", GlobalLockTask.class, writeAll -> {
project.getTasks().register("writeLocks", GlobalLockTask.class, (writeAll) -> {
writeAll.setDescription("Writes the locks for all projects");
});
}

2
buildSrc/src/main/java/trang/TrangPlugin.java
View File

@ -10,7 +10,7 @@ import org.gradle.api.Project;
public class TrangPlugin implements Plugin<Project> {
@Override
public void apply(Project project) {
project.getTasks().register("rncToXsd", RncToXsd.class, rncToXsd -> {
project.getTasks().register("rncToXsd", RncToXsd.class, (rncToXsd) -> {
rncToXsd.setDescription("Converts .rnc to .xsd");
rncToXsd.setGroup("Build");
});

2
cas/src/main/java/org/springframework/security/cas/SamlServiceProperties.java
View File

@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.cas;
/**
@ -32,4 +33,5 @@ public final class SamlServiceProperties extends ServiceProperties {
super.setArtifactParameter(DEFAULT_SAML_ARTIFACT_PARAMETER);
super.setServiceParameter(DEFAULT_SAML_SERVICE_PARAMETER);
}
}

16
cas/src/main/java/org/springframework/security/cas/ServiceProperties.java
View File

@ -34,9 +34,6 @@ public class ServiceProperties implements InitializingBean {
public static final String DEFAULT_CAS_SERVICE_PARAMETER = "service";
// ~ Instance fields
// ================================================================================================
private String service;
private boolean authenticateAllArtifacts;
@ -47,9 +44,7 @@ public class ServiceProperties implements InitializingBean {
private String serviceParameter = DEFAULT_CAS_SERVICE_PARAMETER;
// ~ Methods
// ========================================================================================================
@Override
public void afterPropertiesSet() {
Assert.hasLength(this.service, "service cannot be empty.");
Assert.hasLength(this.artifactParameter, "artifactParameter cannot be empty.");
@ -65,7 +60,6 @@ public class ServiceProperties implements InitializingBean {
* <pre>
* https://www.mycompany.com/application/login/cas
* </pre>
*
* @return the URL of the service the user is authenticating to
*/
public final String getService() {
@ -81,7 +75,6 @@ public class ServiceProperties implements InitializingBean {
* ticket was generated as a consequence of an explicit login. High security
* applications would probably set this to <code>true</code>. Defaults to
* <code>false</code>, providing automated single sign on.
*
* @return whether to send the <code>renew</code> parameter to CAS
*/
public final boolean isSendRenew() {
@ -103,7 +96,6 @@ public class ServiceProperties implements InitializingBean {
/**
* Configures the Request Parameter to look for when attempting to see if a CAS ticket
* was sent from the server.
*
* @param artifactParameter the id to use. Default is "ticket".
*/
public final void setArtifactParameter(final String artifactParameter) {
@ -113,7 +105,6 @@ public class ServiceProperties implements InitializingBean {
/**
* Configures the Request parameter to look for when attempting to send a request to
* CAS.
*
* @return the service parameter to use. Default is "service".
*/
public final String getServiceParameter() {
@ -132,11 +123,10 @@ public class ServiceProperties implements InitializingBean {
* If true, then any non-null artifact (ticket) should be authenticated. Additionally,
* the service will be determined dynamically in order to ensure the service matches
* the expected value for this artifact.
*
* @param authenticateAllArtifacts
*/
public final void setAuthenticateAllArtifacts(
final boolean authenticateAllArtifacts) {
public final void setAuthenticateAllArtifacts(final boolean authenticateAllArtifacts) {
this.authenticateAllArtifacts = authenticateAllArtifacts;
}
}

6
cas/src/main/java/org/springframework/security/cas/authentication/CasAssertionAuthenticationToken.java
View File

@ -13,11 +13,13 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.cas.authentication;
import java.util.ArrayList;
import org.jasig.cas.client.validation.Assertion;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.core.SpringSecurityCoreVersion;
@ -37,15 +39,16 @@ public final class CasAssertionAuthenticationToken extends AbstractAuthenticatio
public CasAssertionAuthenticationToken(final Assertion assertion, final String ticket) {
super(new ArrayList<>());
this.assertion = assertion;
this.ticket = ticket;
}
@Override
public Object getPrincipal() {
return this.assertion.getPrincipal().getName();
}
@Override
public Object getCredentials() {
return this.ticket;
}
@ -53,4 +56,5 @@ public final class CasAssertionAuthenticationToken extends AbstractAuthenticatio
public Assertion getAssertion() {
return this.assertion;
}
}

147
cas/src/main/java/org/springframework/security/cas/authentication/CasAuthenticationProvider.java
View File

@ -21,10 +21,12 @@ import org.apache.commons.logging.LogFactory;
import org.jasig.cas.client.validation.Assertion;
import org.jasig.cas.client.validation.TicketValidationException;
import org.jasig.cas.client.validation.TicketValidator;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.context.MessageSource;
import org.springframework.context.MessageSourceAware;
import org.springframework.context.support.MessageSourceAccessor;
import org.springframework.core.log.LogMessage;
import org.springframework.security.authentication.AccountStatusUserDetailsChecker;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.BadCredentialsException;
@ -37,7 +39,11 @@ import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.SpringSecurityMessageSource;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.security.core.authority.mapping.NullAuthoritiesMapper;
import org.springframework.security.core.userdetails.*;
import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper;
import org.springframework.security.core.userdetails.UserDetailsChecker;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.util.Assert;
/**
@ -54,118 +60,93 @@ import org.springframework.util.Assert;
* @author Ben Alex
* @author Scott Battaglia
*/
public class CasAuthenticationProvider implements AuthenticationProvider,
InitializingBean, MessageSourceAware {
// ~ Static fields/initializers
// =====================================================================================
public class CasAuthenticationProvider implements AuthenticationProvider, InitializingBean, MessageSourceAware {
private static final Log logger = LogFactory.getLog(CasAuthenticationProvider.class);
// ~ Instance fields
// ================================================================================================
private AuthenticationUserDetailsService<CasAssertionAuthenticationToken> authenticationUserDetailsService;
private final UserDetailsChecker userDetailsChecker = new AccountStatusUserDetailsChecker();
protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();
private StatelessTicketCache statelessTicketCache = new NullStatelessTicketCache();
private String key;
private TicketValidator ticketValidator;
private ServiceProperties serviceProperties;
private GrantedAuthoritiesMapper authoritiesMapper = new NullAuthoritiesMapper();
// ~ Methods
// ========================================================================================================
@Override
public void afterPropertiesSet() {
Assert.notNull(this.authenticationUserDetailsService,
"An authenticationUserDetailsService must be set");
Assert.notNull(this.authenticationUserDetailsService, "An authenticationUserDetailsService must be set");
Assert.notNull(this.ticketValidator, "A ticketValidator must be set");
Assert.notNull(this.statelessTicketCache, "A statelessTicketCache must be set");
Assert.hasText(
this.key,
Assert.hasText(this.key,
"A Key is required so CasAuthenticationProvider can identify tokens it previously authenticated");
Assert.notNull(this.messages, "A message source must be set");
}
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
if (!supports(authentication.getClass())) {
return null;
}
if (authentication instanceof UsernamePasswordAuthenticationToken
&& (!CasAuthenticationFilter.CAS_STATEFUL_IDENTIFIER
.equals(authentication.getPrincipal().toString()) && !CasAuthenticationFilter.CAS_STATELESS_IDENTIFIER
.equals(authentication.getPrincipal().toString()))) {
&& (!CasAuthenticationFilter.CAS_STATEFUL_IDENTIFIER.equals(authentication.getPrincipal().toString())
&& !CasAuthenticationFilter.CAS_STATELESS_IDENTIFIER
.equals(authentication.getPrincipal().toString()))) {
// UsernamePasswordAuthenticationToken not CAS related
return null;
}
// If an existing CasAuthenticationToken, just check we created it
if (authentication instanceof CasAuthenticationToken) {
if (this.key.hashCode() == ((CasAuthenticationToken) authentication)
.getKeyHash()) {
return authentication;
}
else {
throw new BadCredentialsException(
messages.getMessage("CasAuthenticationProvider.incorrectKey",
"The presented CasAuthenticationToken does not contain the expected key"));
if (this.key.hashCode() != ((CasAuthenticationToken) authentication).getKeyHash()) {
throw new BadCredentialsException(this.messages.getMessage("CasAuthenticationProvider.incorrectKey",
"The presented CasAuthenticationToken does not contain the expected key"));
}
return authentication;
}
// Ensure credentials are presented
if ((authentication.getCredentials() == null)
|| "".equals(authentication.getCredentials())) {
throw new BadCredentialsException(messages.getMessage(
"CasAuthenticationProvider.noServiceTicket",
if ((authentication.getCredentials() == null) || "".equals(authentication.getCredentials())) {
throw new BadCredentialsException(this.messages.getMessage("CasAuthenticationProvider.noServiceTicket",
"Failed to provide a CAS service ticket to validate"));
}
boolean stateless = false;
if (authentication instanceof UsernamePasswordAuthenticationToken
&& CasAuthenticationFilter.CAS_STATELESS_IDENTIFIER.equals(authentication
.getPrincipal())) {
stateless = true;
}
boolean stateless = (authentication instanceof UsernamePasswordAuthenticationToken
&& CasAuthenticationFilter.CAS_STATELESS_IDENTIFIER.equals(authentication.getPrincipal()));
CasAuthenticationToken result = null;
if (stateless) {
// Try to obtain from cache
result = statelessTicketCache.getByTicketId(authentication.getCredentials()
.toString());
result = this.statelessTicketCache.getByTicketId(authentication.getCredentials().toString());
}
if (result == null) {
result = this.authenticateNow(authentication);
result.setDetails(authentication.getDetails());
}
if (stateless) {
// Add to cache
statelessTicketCache.putTicketInCache(result);
this.statelessTicketCache.putTicketInCache(result);
}
return result;
}
private CasAuthenticationToken authenticateNow(final Authentication authentication)
throws AuthenticationException {
private CasAuthenticationToken authenticateNow(final Authentication authentication) throws AuthenticationException {
try {
final Assertion assertion = this.ticketValidator.validate(authentication
.getCredentials().toString(), getServiceUrl(authentication));
final UserDetails userDetails = loadUserByAssertion(assertion);
userDetailsChecker.check(userDetails);
return new CasAuthenticationToken(this.key, userDetails,
authentication.getCredentials(),
authoritiesMapper.mapAuthorities(userDetails.getAuthorities()),
userDetails, assertion);
Assertion assertion = this.ticketValidator.validate(authentication.getCredentials().toString(),
getServiceUrl(authentication));
UserDetails userDetails = loadUserByAssertion(assertion);
this.userDetailsChecker.check(userDetails);
return new CasAuthenticationToken(this.key, userDetails, authentication.getCredentials(),
this.authoritiesMapper.mapAuthorities(userDetails.getAuthorities()), userDetails, assertion);
}
catch (final TicketValidationException e) {
throw new BadCredentialsException(e.getMessage(), e);
catch (TicketValidationException ex) {
throw new BadCredentialsException(ex.getMessage(), ex);
}
}
@ -174,30 +155,20 @@ public class CasAuthenticationProvider implements AuthenticationProvider,
* {@link ServiceAuthenticationDetails}, then
* {@link ServiceAuthenticationDetails#getServiceUrl()} is used. Otherwise, the
* {@link ServiceProperties#getService()} is used.
*
* @param authentication
* @return
*/
private String getServiceUrl(Authentication authentication) {
String serviceUrl;
if (authentication.getDetails() instanceof ServiceAuthenticationDetails) {
serviceUrl = ((ServiceAuthenticationDetails) authentication.getDetails())
.getServiceUrl();
}
else if (serviceProperties == null) {
throw new IllegalStateException(
"serviceProperties cannot be null unless Authentication.getDetails() implements ServiceAuthenticationDetails.");
}
else if (serviceProperties.getService() == null) {
throw new IllegalStateException(
"serviceProperties.getService() cannot be null unless Authentication.getDetails() implements ServiceAuthenticationDetails.");
}
else {
serviceUrl = serviceProperties.getService();
}
if (logger.isDebugEnabled()) {
logger.debug("serviceUrl = " + serviceUrl);
return ((ServiceAuthenticationDetails) authentication.getDetails()).getServiceUrl();
}
Assert.state(this.serviceProperties != null,
"serviceProperties cannot be null unless Authentication.getDetails() implements ServiceAuthenticationDetails.");
Assert.state(this.serviceProperties.getService() != null,
"serviceProperties.getService() cannot be null unless Authentication.getDetails() implements ServiceAuthenticationDetails.");
serviceUrl = this.serviceProperties.getService();
logger.debug(LogMessage.format("serviceUrl = %s", serviceUrl));
return serviceUrl;
}
@ -205,13 +176,11 @@ public class CasAuthenticationProvider implements AuthenticationProvider,
* Template method for retrieving the UserDetails based on the assertion. Default is
* to call configured userDetailsService and pass the username. Deployers can override
* this method and retrieve the user based on any criteria they desire.
*
* @param assertion The CAS Assertion.
* @return the UserDetails.
*/
protected UserDetails loadUserByAssertion(final Assertion assertion) {
final CasAssertionAuthenticationToken token = new CasAssertionAuthenticationToken(
assertion, "");
final CasAssertionAuthenticationToken token = new CasAssertionAuthenticationToken(assertion, "");
return this.authenticationUserDetailsService.loadUserDetails(token);
}
@ -220,8 +189,7 @@ public class CasAuthenticationProvider implements AuthenticationProvider,
* Sets the UserDetailsService to use. This is a convenience method to invoke
*/
public void setUserDetailsService(final UserDetailsService userDetailsService) {
this.authenticationUserDetailsService = new UserDetailsByNameServiceWrapper(
userDetailsService);
this.authenticationUserDetailsService = new UserDetailsByNameServiceWrapper(userDetailsService);
}
public void setAuthenticationUserDetailsService(
@ -234,7 +202,7 @@ public class CasAuthenticationProvider implements AuthenticationProvider,
}
protected String getKey() {
return key;
return this.key;
}
public void setKey(String key) {
@ -242,13 +210,14 @@ public class CasAuthenticationProvider implements AuthenticationProvider,
}
public StatelessTicketCache getStatelessTicketCache() {
return statelessTicketCache;
return this.statelessTicketCache;
}
protected TicketValidator getTicketValidator() {
return ticketValidator;
return this.ticketValidator;
}
@Override
public void setMessageSource(final MessageSource messageSource) {
this.messages = new MessageSourceAccessor(messageSource);
}
@ -265,11 +234,11 @@ public class CasAuthenticationProvider implements AuthenticationProvider,
this.authoritiesMapper = authoritiesMapper;
}
@Override
public boolean supports(final Class<?> authentication) {
return (UsernamePasswordAuthenticationToken.class
.isAssignableFrom(authentication))
return (UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication))
|| (CasAuthenticationToken.class.isAssignableFrom(authentication))
|| (CasAssertionAuthenticationToken.class
.isAssignableFrom(authentication));
|| (CasAssertionAuthenticationToken.class.isAssignableFrom(authentication));
}
}

101
cas/src/main/java/org/springframework/security/cas/authentication/CasAuthenticationToken.java
View File

@ -20,11 +20,13 @@ import java.io.Serializable;
import java.util.Collection;
import org.jasig.cas.client.validation.Assertion;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.SpringSecurityCoreVersion;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.util.Assert;
import org.springframework.util.ObjectUtils;
/**
* Represents a successful CAS <code>Authentication</code>.
@ -32,80 +34,69 @@ import org.springframework.util.Assert;
* @author Ben Alex
* @author Scott Battaglia
*/
public class CasAuthenticationToken extends AbstractAuthenticationToken implements
Serializable {
public class CasAuthenticationToken extends AbstractAuthenticationToken implements Serializable {
private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
// ~ Instance fields
// ================================================================================================
private final Object credentials;
private final Object principal;
private final UserDetails userDetails;
private final int keyHash;
private final Assertion assertion;
// ~ Constructors
// ===================================================================================================
private final Object principal;
private final UserDetails userDetails;
private final int keyHash;
private final Assertion assertion;
/**
* Constructor.
*
* @param key to identify if this object made by a given
* {@link CasAuthenticationProvider}
* @param principal typically the UserDetails object (cannot be <code>null</code>)
* @param key to identify if this object made by a given
* {@link CasAuthenticationProvider}
* @param principal typically the UserDetails object (cannot be <code>null</code>)
* @param credentials the service/proxy ticket ID from CAS (cannot be
* <code>null</code>)
* <code>null</code>)
* @param authorities the authorities granted to the user (from the
* {@link org.springframework.security.core.userdetails.UserDetailsService}) (cannot
* be <code>null</code>)
* {@link org.springframework.security.core.userdetails.UserDetailsService}) (cannot
* be <code>null</code>)
* @param userDetails the user details (from the
* {@link org.springframework.security.core.userdetails.UserDetailsService}) (cannot
* be <code>null</code>)
* @param assertion the assertion returned from the CAS servers. It contains the
* principal and how to obtain a proxy ticket for the user.
* {@link org.springframework.security.core.userdetails.UserDetailsService}) (cannot
* be <code>null</code>)
* @param assertion the assertion returned from the CAS servers. It contains the
* principal and how to obtain a proxy ticket for the user.
* @throws IllegalArgumentException if a <code>null</code> was passed
*/
public CasAuthenticationToken(final String key, final Object principal,
final Object credentials,
final Collection<? extends GrantedAuthority> authorities,
final UserDetails userDetails, final Assertion assertion) {
public CasAuthenticationToken(final String key, final Object principal, final Object credentials,
final Collection<? extends GrantedAuthority> authorities, final UserDetails userDetails,
final Assertion assertion) {
this(extractKeyHash(key), principal, credentials, authorities, userDetails, assertion);
}
/**
* Private constructor for Jackson Deserialization support
*
* @param keyHash hashCode of provided key to identify if this object made by a given
* {@link CasAuthenticationProvider}
* @param principal typically the UserDetails object (cannot be <code>null</code>)
* @param keyHash hashCode of provided key to identify if this object made by a given
* {@link CasAuthenticationProvider}
* @param principal typically the UserDetails object (cannot be <code>null</code>)
* @param credentials the service/proxy ticket ID from CAS (cannot be
* <code>null</code>)
* <code>null</code>)
* @param authorities the authorities granted to the user (from the
* {@link org.springframework.security.core.userdetails.UserDetailsService}) (cannot
* be <code>null</code>)
* {@link org.springframework.security.core.userdetails.UserDetailsService}) (cannot
* be <code>null</code>)
* @param userDetails the user details (from the
* {@link org.springframework.security.core.userdetails.UserDetailsService}) (cannot
* be <code>null</code>)
* @param assertion the assertion returned from the CAS servers. It contains the
* principal and how to obtain a proxy ticket for the user.
* {@link org.springframework.security.core.userdetails.UserDetailsService}) (cannot
* be <code>null</code>)
* @param assertion the assertion returned from the CAS servers. It contains the
* principal and how to obtain a proxy ticket for the user.
* @throws IllegalArgumentException if a <code>null</code> was passed
* @since 4.2
*/
private CasAuthenticationToken(final Integer keyHash, final Object principal,
final Object credentials,
final Collection<? extends GrantedAuthority> authorities,
final UserDetails userDetails, final Assertion assertion) {
private CasAuthenticationToken(final Integer keyHash, final Object principal, final Object credentials,
final Collection<? extends GrantedAuthority> authorities, final UserDetails userDetails,
final Assertion assertion) {
super(authorities);
if ((principal == null)
|| "".equals(principal) || (credentials == null)
|| "".equals(credentials) || (authorities == null)
|| (userDetails == null) || (assertion == null)) {
throw new IllegalArgumentException(
"Cannot pass null or empty values to constructor");
if ((principal == null) || "".equals(principal) || (credentials == null) || "".equals(credentials)
|| (authorities == null) || (userDetails == null) || (assertion == null)) {
throw new IllegalArgumentException("Cannot pass null or empty values to constructor");
}
this.keyHash = keyHash;
this.principal = principal;
this.credentials = credentials;
@ -114,9 +105,6 @@ public class CasAuthenticationToken extends AbstractAuthenticationToken implemen
setAuthenticated(true);
}
// ~ Methods
// ========================================================================================================
private static Integer extractKeyHash(String key) {
Assert.hasLength(key, "key cannot be null or empty");
return key.hashCode();
@ -127,21 +115,16 @@ public class CasAuthenticationToken extends AbstractAuthenticationToken implemen
if (!super.equals(obj)) {
return false;
}
if (obj instanceof CasAuthenticationToken) {
CasAuthenticationToken test = (CasAuthenticationToken) obj;
if (!this.assertion.equals(test.getAssertion())) {
return false;
}
if (this.getKeyHash() != test.getKeyHash()) {
return false;
}
return true;
}
return false;
}
@ -152,7 +135,7 @@ public class CasAuthenticationToken extends AbstractAuthenticationToken implemen
result = 31 * result + this.principal.hashCode();
result = 31 * result + this.userDetails.hashCode();
result = 31 * result + this.keyHash;
result = 31 * result + (this.assertion != null ? this.assertion.hashCode() : 0);
result = 31 * result + ObjectUtils.nullSafeHashCode(this.assertion);
return result;
}
@ -175,7 +158,7 @@ public class CasAuthenticationToken extends AbstractAuthenticationToken implemen
}
public UserDetails getUserDetails() {
return userDetails;
return this.userDetails;
}
@Override
@ -184,7 +167,7 @@ public class CasAuthenticationToken extends AbstractAuthenticationToken implemen
sb.append(super.toString());
sb.append(" Assertion: ").append(this.assertion);
sb.append(" Credentials (Service/Proxy Ticket): ").append(this.credentials);
return (sb.toString());
}
}

Some files were not shown because too many files have changed in this diff Show More