Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-07-07 03:02:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

SEC-530: Refactor ACL module so ACE manipulation is index-based as

Browse Source 
opposed to AccessControlEntry.getId() based.
This commit is contained in:
Ben Alex 2008-04-05 20:43:10 +00:00
parent 431253188d
commit 677607bcad
12 changed files with 107 additions and 147 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
acl/src/main/java/org/springframework/security/acls/Acl.java
View File

@ -32,10 +32,11 @@ import java.io.Serializable;
* </p> * </p>
* *
* <p> * <p>
* TODO: Clarify this paragraph * Implementing classes may elect to return instances that represent
* An implementation represents the {@link org.springframework.security.acls.Permission} * {@link org.springframework.security.acls.Permission} information for either
* list applicable for some or all {@link org.springframework.security.acls.sid.Sid} * some OR all {@link org.springframework.security.acls.sid.Sid}
* instances. * instances. Therefore, an instance may NOT necessarily contain ALL <tt>Sid</tt>s
* for a given domain object.
* </p> * </p>
* *
* @author Ben Alex * @author Ben Alex
@ -49,9 +50,9 @@ public interface Acl extends Serializable {
* *
* <p>This method is typically used for administrative purposes.</p> * <p>This method is typically used for administrative purposes.</p>
* *
* <p>The order that entries appear in the array is unspecified. However, if implementations use * <p>The order that entries appear in the array is important for methods declared in the
* particular ordering logic in authorization decisions, the entries returned by this method * {@link MutableAcl} interface. Furthermore, some implementations MAY use ordering as
* <em>MUST</em> be ordered in that manner.</p> * part of advanced permission checking.</p>
* *
* <p>Do <em>NOT</em> use this method for making authorization decisions. Instead use {@link * <p>Do <em>NOT</em> use this method for making authorization decisions. Instead use {@link
* #isGranted(Permission[], Sid[], boolean)}.</p> * #isGranted(Permission[], Sid[], boolean)}.</p>

3
acl/src/main/java/org/springframework/security/acls/AuditableAcl.java
View File

@ -14,7 +14,6 @@
*/ */
package org.springframework.security.acls; package org.springframework.security.acls;
import java.io.Serializable;
/** /**
@ -27,5 +26,5 @@ import java.io.Serializable;
public interface AuditableAcl extends MutableAcl { public interface AuditableAcl extends MutableAcl {
//~ Methods ======================================================================================================== //~ Methods ========================================================================================================
void updateAuditing(Serializable aceId, boolean auditSuccess, boolean auditFailure); void updateAuditing(int aceIndex, boolean auditSuccess, boolean auditFailure);
} }

21
acl/src/main/java/org/springframework/security/acls/MutableAcl.java
View File

@ -14,10 +14,10 @@
*/ */
package org.springframework.security.acls; package org.springframework.security.acls;
import org.springframework.security.acls.sid.Sid;
import java.io.Serializable; import java.io.Serializable;
import org.springframework.security.acls.sid.Sid;
/** /**
* A mutable <tt>Acl</tt>. * A mutable <tt>Acl</tt>.
@ -33,18 +33,7 @@ import java.io.Serializable;
public interface MutableAcl extends Acl { public interface MutableAcl extends Acl {
//~ Methods ======================================================================================================== //~ Methods ========================================================================================================
void deleteAce(Serializable aceId) throws NotFoundException; void deleteAce(int aceIndex) throws NotFoundException;
/**
* Retrieves all of the non-deleted {@link AccessControlEntry} instances currently stored by the
* <tt>MutableAcl</tt>. The returned objects should be immutable outside the package, and therefore it is safe
* to return them to the caller for informational purposes. The <tt>AccessControlEntry</tt> information is
* needed so that invocations of update and delete methods on the <tt>MutableAcl</tt> can refer to a valid
* {@link AccessControlEntry#getId()}.
*
* @return DOCUMENT ME!
*/
AccessControlEntry[] getEntries();
/** /**
* Obtains an identifier that represents this <tt>MutableAcl</tt>. * Obtains an identifier that represents this <tt>MutableAcl</tt>.
@ -53,7 +42,7 @@ public interface MutableAcl extends Acl {
*/ */
Serializable getId(); Serializable getId();
void insertAce(Serializable afterAceId, Permission permission, Sid sid, boolean granting) void insertAce(int atIndexLocation, Permission permission, Sid sid, boolean granting)
throws NotFoundException; throws NotFoundException;
/** /**
@ -77,6 +66,6 @@ public interface MutableAcl extends Acl {
*/ */
void setParent(Acl newParent); void setParent(Acl newParent);
void updateAce(Serializable aceId, Permission permission) void updateAce(int aceIndex, Permission permission)
throws NotFoundException; throws NotFoundException;
} }

79
acl/src/main/java/org/springframework/security/acls/domain/AclImpl.java
View File

@ -114,34 +114,22 @@ public class AclImpl implements Acl, MutableAcl, AuditableAcl, OwnershipAcl {
//~ Methods ======================================================================================================== //~ Methods ========================================================================================================
public void deleteAce(Serializable aceId) throws NotFoundException { private void verifyAceIndexExists(int aceIndex) {
if (aceIndex < 0) {
throw new NotFoundException("aceIndex must be greater than or equal to zero");
}
if (aceIndex > this.aces.size()) {
throw new NotFoundException("aceIndex must correctly refer to an index of the AccessControlEntry collection");
}
}
public void deleteAce(int aceIndex) throws NotFoundException {
aclAuthorizationStrategy.securityCheck(this, AclAuthorizationStrategy.CHANGE_GENERAL); aclAuthorizationStrategy.securityCheck(this, AclAuthorizationStrategy.CHANGE_GENERAL);
verifyAceIndexExists(aceIndex);
synchronized (aces) { synchronized (aces) {
int offset = findAceOffset(aceId); this.aces.remove(aceIndex);
if (offset == -1) {
throw new NotFoundException("Requested ACE ID not found");
} }
this.aces.remove(offset);
}
}
private int findAceOffset(Serializable aceId) {
Assert.notNull(aceId, "ACE ID is required");
synchronized (aces) {
for (int i = 0; i < aces.size(); i++) {
AccessControlEntry ace = (AccessControlEntry) aces.get(i);
if (ace.getId().equals(aceId)) {
return i;
}
}
}
return -1;
} }
public AccessControlEntry[] getEntries() { public AccessControlEntry[] getEntries() {
@ -165,26 +153,22 @@ public class AclImpl implements Acl, MutableAcl, AuditableAcl, OwnershipAcl {
return parentAcl; return parentAcl;
} }
public void insertAce(Serializable afterAceId, Permission permission, Sid sid, boolean granting) public void insertAce(int atIndexLocation, Permission permission, Sid sid, boolean granting)
throws NotFoundException { throws NotFoundException {
aclAuthorizationStrategy.securityCheck(this, AclAuthorizationStrategy.CHANGE_GENERAL); aclAuthorizationStrategy.securityCheck(this, AclAuthorizationStrategy.CHANGE_GENERAL);
Assert.notNull(permission, "Permission required"); Assert.notNull(permission, "Permission required");
Assert.notNull(sid, "Sid required"); Assert.notNull(sid, "Sid required");
if (atIndexLocation < 0) {
throw new NotFoundException("atIndexLocation must be greater than or equal to zero");
}
if (atIndexLocation > this.aces.size()) {
throw new NotFoundException("atIndexLocation must be less than or equal to the size of the AccessControlEntry collection");
}
AccessControlEntryImpl ace = new AccessControlEntryImpl(null, this, sid, permission, granting, false, false); AccessControlEntryImpl ace = new AccessControlEntryImpl(null, this, sid, permission, granting, false, false);
synchronized (aces) { synchronized (aces) {
if (afterAceId != null) { this.aces.add(atIndexLocation, ace);
int offset = findAceOffset(afterAceId);
if (offset == -1) {
throw new NotFoundException("Requested ACE ID not found");
}
this.aces.add(offset + 1, ace);
} else {
this.aces.add(ace);
}
} }
} }
@ -372,33 +356,23 @@ public class AclImpl implements Acl, MutableAcl, AuditableAcl, OwnershipAcl {
return sb.toString(); return sb.toString();
} }
public void updateAce(Serializable aceId, Permission permission) public void updateAce(int aceIndex, Permission permission)
throws NotFoundException { throws NotFoundException {
aclAuthorizationStrategy.securityCheck(this, AclAuthorizationStrategy.CHANGE_GENERAL); aclAuthorizationStrategy.securityCheck(this, AclAuthorizationStrategy.CHANGE_GENERAL);
verifyAceIndexExists(aceIndex);
synchronized (aces) { synchronized (aces) {
int offset = findAceOffset(aceId); AccessControlEntryImpl ace = (AccessControlEntryImpl) aces.get(aceIndex);
if (offset == -1) {
throw new NotFoundException("Requested ACE ID not found");
}
AccessControlEntryImpl ace = (AccessControlEntryImpl) aces.get(offset);
ace.setPermission(permission); ace.setPermission(permission);
} }
} }
public void updateAuditing(Serializable aceId, boolean auditSuccess, boolean auditFailure) { public void updateAuditing(int aceIndex, boolean auditSuccess, boolean auditFailure) {
aclAuthorizationStrategy.securityCheck(this, AclAuthorizationStrategy.CHANGE_AUDITING); aclAuthorizationStrategy.securityCheck(this, AclAuthorizationStrategy.CHANGE_AUDITING);
verifyAceIndexExists(aceIndex);
synchronized (aces) { synchronized (aces) {
int offset = findAceOffset(aceId); AccessControlEntryImpl ace = (AccessControlEntryImpl) aces.get(aceIndex);
if (offset == -1) {
throw new NotFoundException("Requested ACE ID not found");
}
AccessControlEntryImpl ace = (AccessControlEntryImpl) aces.get(offset);
ace.setAuditSuccess(auditSuccess); ace.setAuditSuccess(auditSuccess);
ace.setAuditFailure(auditFailure); ace.setAuditFailure(auditFailure);
} }
@ -406,7 +380,6 @@ public class AclImpl implements Acl, MutableAcl, AuditableAcl, OwnershipAcl {
public boolean equals(Object obj) { public boolean equals(Object obj) {
if (obj instanceof AclImpl) { if (obj instanceof AclImpl) {
AclImpl rhs = (AclImpl) obj; AclImpl rhs = (AclImpl) obj;
if (this.aces.equals(rhs.aces)) { if (this.aces.equals(rhs.aces)) {
if ((this.parentAcl == null && rhs.parentAcl == null) || (this.parentAcl.equals(rhs.parentAcl))) { if ((this.parentAcl == null && rhs.parentAcl == null) || (this.parentAcl.equals(rhs.parentAcl))) {

80
acl/src/test/java/org/springframework/security/acls/domain/AclImplTests.java
View File

@ -138,14 +138,14 @@ public class AclImplTests extends TestCase {
MutableAcl acl = new AclImpl(identity, new Long(1), strategy, auditLogger, null, null, true, new PrincipalSid( MutableAcl acl = new AclImpl(identity, new Long(1), strategy, auditLogger, null, null, true, new PrincipalSid(
"johndoe")); "johndoe"));
try { try {
acl.insertAce(new Long(1), null, new GrantedAuthoritySid("ROLE_IGNORED"), true); acl.insertAce(0, null, new GrantedAuthoritySid("ROLE_IGNORED"), true);
fail("It should have thrown IllegalArgumentException"); fail("It should have thrown IllegalArgumentException");
} }
catch (IllegalArgumentException expected) { catch (IllegalArgumentException expected) {
assertTrue(true); assertTrue(true);
} }
try { try {
acl.insertAce(new Long(1), BasePermission.READ, null, true); acl.insertAce(0, BasePermission.READ, null, true);
fail("It should have thrown IllegalArgumentException"); fail("It should have thrown IllegalArgumentException");
} }
catch (IllegalArgumentException expected) { catch (IllegalArgumentException expected) {
@ -168,7 +168,7 @@ public class AclImplTests extends TestCase {
MockAclService service = new MockAclService(); MockAclService service = new MockAclService();
// Insert one permission // Insert one permission
acl.insertAce(null, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST1"), true); acl.insertAce(0, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST1"), true);
service.updateAcl(acl); service.updateAcl(acl);
// Check it was successfully added // Check it was successfully added
assertEquals(1, acl.getEntries().length); assertEquals(1, acl.getEntries().length);
@ -177,7 +177,7 @@ public class AclImplTests extends TestCase {
assertEquals(acl.getEntries()[0].getSid(), new GrantedAuthoritySid("ROLE_TEST1")); assertEquals(acl.getEntries()[0].getSid(), new GrantedAuthoritySid("ROLE_TEST1"));
// Add a second permission // Add a second permission
acl.insertAce(null, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST2"), true); acl.insertAce(1, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST2"), true);
service.updateAcl(acl); service.updateAcl(acl);
// Check it was added on the last position // Check it was added on the last position
assertEquals(2, acl.getEntries().length); assertEquals(2, acl.getEntries().length);
@ -186,7 +186,7 @@ public class AclImplTests extends TestCase {
assertEquals(acl.getEntries()[1].getSid(), new GrantedAuthoritySid("ROLE_TEST2")); assertEquals(acl.getEntries()[1].getSid(), new GrantedAuthoritySid("ROLE_TEST2"));
// Add a third permission, after the first one // Add a third permission, after the first one
acl.insertAce(acl.getEntries()[0].getId(), BasePermission.WRITE, new GrantedAuthoritySid("ROLE_TEST3"), false); acl.insertAce(1, BasePermission.WRITE, new GrantedAuthoritySid("ROLE_TEST3"), false);
service.updateAcl(acl); service.updateAcl(acl);
assertEquals(3, acl.getEntries().length); assertEquals(3, acl.getEntries().length);
// Check the third entry was added between the two existent ones // Check the third entry was added between the two existent ones
@ -213,11 +213,11 @@ public class AclImplTests extends TestCase {
MockAclService service = new MockAclService(); MockAclService service = new MockAclService();
// Insert one permission // Insert one permission
acl.insertAce(null, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST1"), true); acl.insertAce(0, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST1"), true);
service.updateAcl(acl); service.updateAcl(acl);
try { try {
acl.insertAce(new Long(5), BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST2"), true); acl.insertAce(55, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST2"), true);
fail("It should have thrown NotFoundException"); fail("It should have thrown NotFoundException");
} }
catch (NotFoundException expected) { catch (NotFoundException expected) {
@ -240,28 +240,28 @@ public class AclImplTests extends TestCase {
MockAclService service = new MockAclService(); MockAclService service = new MockAclService();
// Add several permissions // Add several permissions
acl.insertAce(null, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST1"), true); acl.insertAce(0, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST1"), true);
acl.insertAce(null, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST2"), true); acl.insertAce(1, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST2"), true);
acl.insertAce(null, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST3"), true); acl.insertAce(2, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST3"), true);
service.updateAcl(acl); service.updateAcl(acl);
// Delete first permission and check the order of the remaining permissions is kept // Delete first permission and check the order of the remaining permissions is kept
acl.deleteAce(new Long(1)); acl.deleteAce(0);
assertEquals(2, acl.getEntries().length); assertEquals(2, acl.getEntries().length);
assertEquals(acl.getEntries()[0].getSid(), new GrantedAuthoritySid("ROLE_TEST2")); assertEquals(acl.getEntries()[0].getSid(), new GrantedAuthoritySid("ROLE_TEST2"));
assertEquals(acl.getEntries()[1].getSid(), new GrantedAuthoritySid("ROLE_TEST3")); assertEquals(acl.getEntries()[1].getSid(), new GrantedAuthoritySid("ROLE_TEST3"));
// Add one more permission and remove the permission in the middle // Add one more permission and remove the permission in the middle
acl.insertAce(null, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST4"), true); acl.insertAce(2, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST4"), true);
service.updateAcl(acl); service.updateAcl(acl);
acl.deleteAce(new Long(2)); acl.deleteAce(1);
assertEquals(2, acl.getEntries().length); assertEquals(2, acl.getEntries().length);
assertEquals(acl.getEntries()[0].getSid(), new GrantedAuthoritySid("ROLE_TEST2")); assertEquals(acl.getEntries()[0].getSid(), new GrantedAuthoritySid("ROLE_TEST2"));
assertEquals(acl.getEntries()[1].getSid(), new GrantedAuthoritySid("ROLE_TEST4")); assertEquals(acl.getEntries()[1].getSid(), new GrantedAuthoritySid("ROLE_TEST4"));
// Remove remaining permissions // Remove remaining permissions
acl.deleteAce(new Long(1)); acl.deleteAce(1);
acl.deleteAce(new Long(3)); acl.deleteAce(0);
assertEquals(0, acl.getEntries().length); assertEquals(0, acl.getEntries().length);
} }
@ -278,7 +278,7 @@ public class AclImplTests extends TestCase {
MutableAcl acl = new AclImpl(identity, new Long(1), strategy, auditLogger, null, null, true, new PrincipalSid( MutableAcl acl = new AclImpl(identity, new Long(1), strategy, auditLogger, null, null, true, new PrincipalSid(
"johndoe")); "johndoe"));
try { try {
acl.deleteAce(new Long(1)); acl.deleteAce(99);
fail("It should have thrown NotFoundException"); fail("It should have thrown NotFoundException");
} }
catch (NotFoundException expected) { catch (NotFoundException expected) {
@ -327,10 +327,10 @@ public class AclImplTests extends TestCase {
"johndoe")); "johndoe"));
// Grant some permissions // Grant some permissions
rootAcl.insertAce(null, BasePermission.READ, new PrincipalSid("ben"), false); rootAcl.insertAce(0, BasePermission.READ, new PrincipalSid("ben"), false);
rootAcl.insertAce(null, BasePermission.WRITE, new PrincipalSid("scott"), true); rootAcl.insertAce(1, BasePermission.WRITE, new PrincipalSid("scott"), true);
rootAcl.insertAce(null, BasePermission.WRITE, new PrincipalSid("rod"), false); rootAcl.insertAce(2, BasePermission.WRITE, new PrincipalSid("rod"), false);
rootAcl.insertAce(null, BasePermission.WRITE, new GrantedAuthoritySid("WRITE_ACCESS_ROLE"), true); rootAcl.insertAce(3, BasePermission.WRITE, new GrantedAuthoritySid("WRITE_ACCESS_ROLE"), true);
// Check permissions granting // Check permissions granting
Permission[] permissions = new Permission[] { BasePermission.READ, BasePermission.CREATE }; Permission[] permissions = new Permission[] { BasePermission.READ, BasePermission.CREATE };
@ -394,14 +394,14 @@ public class AclImplTests extends TestCase {
parentAcl1.setParent(grandParentAcl); parentAcl1.setParent(grandParentAcl);
// Add some permissions // Add some permissions
grandParentAcl.insertAce(null, BasePermission.READ, new GrantedAuthoritySid("ROLE_USER_READ"), true); grandParentAcl.insertAce(0, BasePermission.READ, new GrantedAuthoritySid("ROLE_USER_READ"), true);
grandParentAcl.insertAce(null, BasePermission.WRITE, new PrincipalSid("ben"), true); grandParentAcl.insertAce(1, BasePermission.WRITE, new PrincipalSid("ben"), true);
grandParentAcl.insertAce(null, BasePermission.DELETE, new PrincipalSid("ben"), false); grandParentAcl.insertAce(2, BasePermission.DELETE, new PrincipalSid("ben"), false);
grandParentAcl.insertAce(null, BasePermission.DELETE, new PrincipalSid("scott"), true); grandParentAcl.insertAce(3, BasePermission.DELETE, new PrincipalSid("scott"), true);
parentAcl1.insertAce(null, BasePermission.READ, new PrincipalSid("scott"), true); parentAcl1.insertAce(0, BasePermission.READ, new PrincipalSid("scott"), true);
parentAcl1.insertAce(null, BasePermission.DELETE, new PrincipalSid("scott"), false); parentAcl1.insertAce(1, BasePermission.DELETE, new PrincipalSid("scott"), false);
parentAcl2.insertAce(null, BasePermission.CREATE, new PrincipalSid("ben"), true); parentAcl2.insertAce(0, BasePermission.CREATE, new PrincipalSid("ben"), true);
childAcl1.insertAce(null, BasePermission.CREATE, new PrincipalSid("scott"), true); childAcl1.insertAce(0, BasePermission.CREATE, new PrincipalSid("scott"), true);
// Check granting process for parent1 // Check granting process for parent1
assertTrue(parentAcl1.isGranted(new Permission[] { BasePermission.READ }, new Sid[] { new PrincipalSid("scott") }, assertTrue(parentAcl1.isGranted(new Permission[] { BasePermission.READ }, new Sid[] { new PrincipalSid("scott") },
@ -464,9 +464,9 @@ public class AclImplTests extends TestCase {
"johndoe")); "johndoe"));
MockAclService service = new MockAclService(); MockAclService service = new MockAclService();
acl.insertAce(null, BasePermission.READ, new GrantedAuthoritySid("ROLE_USER_READ"), true); acl.insertAce(0, BasePermission.READ, new GrantedAuthoritySid("ROLE_USER_READ"), true);
acl.insertAce(null, BasePermission.WRITE, new GrantedAuthoritySid("ROLE_USER_READ"), true); acl.insertAce(1, BasePermission.WRITE, new GrantedAuthoritySid("ROLE_USER_READ"), true);
acl.insertAce(null, BasePermission.CREATE, new PrincipalSid("ben"), true); acl.insertAce(2, BasePermission.CREATE, new PrincipalSid("ben"), true);
service.updateAcl(acl); service.updateAcl(acl);
assertEquals(acl.getEntries()[0].getPermission(), BasePermission.READ); assertEquals(acl.getEntries()[0].getPermission(), BasePermission.READ);
@ -474,9 +474,9 @@ public class AclImplTests extends TestCase {
assertEquals(acl.getEntries()[2].getPermission(), BasePermission.CREATE); assertEquals(acl.getEntries()[2].getPermission(), BasePermission.CREATE);
// Change each permission // Change each permission
acl.updateAce(new Long(1), BasePermission.CREATE); acl.updateAce(0, BasePermission.CREATE);
acl.updateAce(new Long(2), BasePermission.DELETE); acl.updateAce(1, BasePermission.DELETE);
acl.updateAce(new Long(3), BasePermission.READ); acl.updateAce(2, BasePermission.READ);
// Check the change was successfuly made // Check the change was successfuly made
assertEquals(acl.getEntries()[0].getPermission(), BasePermission.CREATE); assertEquals(acl.getEntries()[0].getPermission(), BasePermission.CREATE);
@ -498,8 +498,8 @@ public class AclImplTests extends TestCase {
"johndoe")); "johndoe"));
MockAclService service = new MockAclService(); MockAclService service = new MockAclService();
acl.insertAce(null, BasePermission.READ, new GrantedAuthoritySid("ROLE_USER_READ"), true); acl.insertAce(0, BasePermission.READ, new GrantedAuthoritySid("ROLE_USER_READ"), true);
acl.insertAce(null, BasePermission.WRITE, new GrantedAuthoritySid("ROLE_USER_READ"), true); acl.insertAce(1, BasePermission.WRITE, new GrantedAuthoritySid("ROLE_USER_READ"), true);
service.updateAcl(acl); service.updateAcl(acl);
assertFalse(((AuditableAccessControlEntry) acl.getEntries()[0]).isAuditFailure()); assertFalse(((AuditableAccessControlEntry) acl.getEntries()[0]).isAuditFailure());
@ -508,8 +508,8 @@ public class AclImplTests extends TestCase {
assertFalse(((AuditableAccessControlEntry) acl.getEntries()[1]).isAuditSuccess()); assertFalse(((AuditableAccessControlEntry) acl.getEntries()[1]).isAuditSuccess());
// Change each permission // Change each permission
((AuditableAcl) acl).updateAuditing(new Long(1), true, true); ((AuditableAcl) acl).updateAuditing(0, true, true);
((AuditableAcl) acl).updateAuditing(new Long(2), true, true); ((AuditableAcl) acl).updateAuditing(1, true, true);
// Check the change was successfuly made // Check the change was successfuly made
assertTrue(((AuditableAccessControlEntry) acl.getEntries()[0]).isAuditFailure()); assertTrue(((AuditableAccessControlEntry) acl.getEntries()[0]).isAuditFailure());
@ -534,8 +534,8 @@ public class AclImplTests extends TestCase {
MutableAcl parentAcl = new AclImpl(identity2, new Long(2), strategy, auditLogger, null, null, true, new PrincipalSid( MutableAcl parentAcl = new AclImpl(identity2, new Long(2), strategy, auditLogger, null, null, true, new PrincipalSid(
"johndoe")); "johndoe"));
MockAclService service = new MockAclService(); MockAclService service = new MockAclService();
acl.insertAce(null, BasePermission.READ, new GrantedAuthoritySid("ROLE_USER_READ"), true); acl.insertAce(0, BasePermission.READ, new GrantedAuthoritySid("ROLE_USER_READ"), true);
acl.insertAce(null, BasePermission.WRITE, new GrantedAuthoritySid("ROLE_USER_READ"), true); acl.insertAce(1, BasePermission.WRITE, new GrantedAuthoritySid("ROLE_USER_READ"), true);
service.updateAcl(acl); service.updateAcl(acl);
assertEquals(acl.getId(), new Long(1)); assertEquals(acl.getId(), new Long(1));

12
acl/src/test/java/org/springframework/security/acls/domain/AclImplementationSecurityCheckTests.java
View File

@ -114,7 +114,7 @@ public class AclImplementationSecurityCheckTests extends TestCase {
// Let's give the principal the ADMINISTRATION permission, without // Let's give the principal the ADMINISTRATION permission, without
// granting access // granting access
MutableAcl aclFirstDeny = new AclImpl(identity, new Long(1), aclAuthorizationStrategy, new ConsoleAuditLogger()); MutableAcl aclFirstDeny = new AclImpl(identity, new Long(1), aclAuthorizationStrategy, new ConsoleAuditLogger());
aclFirstDeny.insertAce(null, BasePermission.ADMINISTRATION, new PrincipalSid(auth), false); aclFirstDeny.insertAce(0, BasePermission.ADMINISTRATION, new PrincipalSid(auth), false);
// The CHANGE_GENERAL test should pass as the principal has ROLE_GENERAL // The CHANGE_GENERAL test should pass as the principal has ROLE_GENERAL
try { try {
@ -143,7 +143,7 @@ public class AclImplementationSecurityCheckTests extends TestCase {
} }
// Add granting access to this principal // Add granting access to this principal
aclFirstDeny.insertAce(null, BasePermission.ADMINISTRATION, new PrincipalSid(auth), true); aclFirstDeny.insertAce(1, BasePermission.ADMINISTRATION, new PrincipalSid(auth), true);
// and try again for CHANGE_AUDITING - the first ACE's granting flag // and try again for CHANGE_AUDITING - the first ACE's granting flag
// (false) will deny this access // (false) will deny this access
try { try {
@ -158,7 +158,7 @@ public class AclImplementationSecurityCheckTests extends TestCase {
// permission, with granting access // permission, with granting access
MutableAcl aclFirstAllow = new AclImpl(identity, new Long(1), aclAuthorizationStrategy, MutableAcl aclFirstAllow = new AclImpl(identity, new Long(1), aclAuthorizationStrategy,
new ConsoleAuditLogger()); new ConsoleAuditLogger());
aclFirstAllow.insertAce(null, BasePermission.ADMINISTRATION, new PrincipalSid(auth), true); aclFirstAllow.insertAce(0, BasePermission.ADMINISTRATION, new PrincipalSid(auth), true);
// The CHANGE_AUDITING test should pass as there is one ACE with // The CHANGE_AUDITING test should pass as there is one ACE with
// granting access // granting access
@ -171,7 +171,7 @@ public class AclImplementationSecurityCheckTests extends TestCase {
} }
// Add a deny ACE and test again for CHANGE_AUDITING // Add a deny ACE and test again for CHANGE_AUDITING
aclFirstAllow.insertAce(null, BasePermission.ADMINISTRATION, new PrincipalSid(auth), false); aclFirstAllow.insertAce(1, BasePermission.ADMINISTRATION, new PrincipalSid(auth), false);
try { try {
aclAuthorizationStrategy.securityCheck(aclFirstAllow, AclAuthorizationStrategy.CHANGE_AUDITING); aclAuthorizationStrategy.securityCheck(aclFirstAllow, AclAuthorizationStrategy.CHANGE_AUDITING);
Assert.assertTrue(true); Assert.assertTrue(true);
@ -215,7 +215,7 @@ public class AclImplementationSecurityCheckTests extends TestCase {
// Let's give the principal an ADMINISTRATION permission, with granting // Let's give the principal an ADMINISTRATION permission, with granting
// access // access
MutableAcl parentAcl = new AclImpl(identity, new Long(1), aclAuthorizationStrategy, new ConsoleAuditLogger()); MutableAcl parentAcl = new AclImpl(identity, new Long(1), aclAuthorizationStrategy, new ConsoleAuditLogger());
parentAcl.insertAce(null, BasePermission.ADMINISTRATION, new PrincipalSid(auth), true); parentAcl.insertAce(0, BasePermission.ADMINISTRATION, new PrincipalSid(auth), true);
MutableAcl childAcl = new AclImpl(identity, new Long(2), aclAuthorizationStrategy, new ConsoleAuditLogger()); MutableAcl childAcl = new AclImpl(identity, new Long(2), aclAuthorizationStrategy, new ConsoleAuditLogger());
// Check against the 'child' acl, which doesn't offer any authorization // Check against the 'child' acl, which doesn't offer any authorization
@ -244,7 +244,7 @@ public class AclImplementationSecurityCheckTests extends TestCase {
MutableAcl rootParentAcl = new AclImpl(identity, new Long(1), aclAuthorizationStrategy, MutableAcl rootParentAcl = new AclImpl(identity, new Long(1), aclAuthorizationStrategy,
new ConsoleAuditLogger()); new ConsoleAuditLogger());
parentAcl = new AclImpl(identity, new Long(1), aclAuthorizationStrategy, new ConsoleAuditLogger()); parentAcl = new AclImpl(identity, new Long(1), aclAuthorizationStrategy, new ConsoleAuditLogger());
rootParentAcl.insertAce(null, BasePermission.ADMINISTRATION, new PrincipalSid(auth), true); rootParentAcl.insertAce(0, BasePermission.ADMINISTRATION, new PrincipalSid(auth), true);
parentAcl.setEntriesInheriting(true); parentAcl.setEntriesInheriting(true);
parentAcl.setParent(rootParentAcl); parentAcl.setParent(rootParentAcl);
childAcl.setParent(parentAcl); childAcl.setParent(parentAcl);

8
acl/src/test/java/org/springframework/security/acls/jdbc/AclPermissionInheritanceTests.java
View File

@ -75,12 +75,12 @@ public class AclPermissionInheritanceTests extends TestCase {
aclService.updateAcl(child); aclService.updateAcl(child);
parent = (AclImpl) aclService.readAclById(rootObject); parent = (AclImpl) aclService.readAclById(rootObject);
parent.insertAce(null, BasePermission.READ, parent.insertAce(0, BasePermission.READ,
new PrincipalSid("john"), true); new PrincipalSid("john"), true);
aclService.updateAcl(parent); aclService.updateAcl(parent);
parent = (AclImpl) aclService.readAclById(rootObject); parent = (AclImpl) aclService.readAclById(rootObject);
parent.insertAce(null, BasePermission.READ, parent.insertAce(1, BasePermission.READ,
new PrincipalSid("joe"), true); new PrincipalSid("joe"), true);
aclService.updateAcl(parent); aclService.updateAcl(parent);
@ -109,11 +109,11 @@ public class AclPermissionInheritanceTests extends TestCase {
child.setParent(parent); child.setParent(parent);
aclService.updateAcl(child); aclService.updateAcl(child);
parent.insertAce(null, BasePermission.ADMINISTRATION, parent.insertAce(0, BasePermission.ADMINISTRATION,
new GrantedAuthoritySid("ROLE_ADMINISTRATOR"), true); new GrantedAuthoritySid("ROLE_ADMINISTRATOR"), true);
aclService.updateAcl(parent); aclService.updateAcl(parent);
parent.insertAce(null, BasePermission.DELETE, new PrincipalSid("terry"), true); parent.insertAce(1, BasePermission.DELETE, new PrincipalSid("terry"), true);
aclService.updateAcl(parent); aclService.updateAcl(parent);
child = (MutableAcl) aclService.readAclById( child = (MutableAcl) aclService.readAclById(

20
acl/src/test/java/org/springframework/security/acls/jdbc/JdbcAclServiceTests.java
View File

@ -108,10 +108,10 @@ public class JdbcAclServiceTests extends AbstractTransactionalDataSourceSpringCo
child.setParent(middleParent); child.setParent(middleParent);
// Now let's add a couple of permissions // Now let's add a couple of permissions
topParent.insertAce(null, BasePermission.READ, new PrincipalSid(auth), true); topParent.insertAce(0, BasePermission.READ, new PrincipalSid(auth), true);
topParent.insertAce(null, BasePermission.WRITE, new PrincipalSid(auth), false); topParent.insertAce(1, BasePermission.WRITE, new PrincipalSid(auth), false);
middleParent.insertAce(null, BasePermission.DELETE, new PrincipalSid(auth), true); middleParent.insertAce(0, BasePermission.DELETE, new PrincipalSid(auth), true);
child.insertAce(null, BasePermission.DELETE, new PrincipalSid(auth), false); child.insertAce(0, BasePermission.DELETE, new PrincipalSid(auth), false);
// Explictly save the changed ACL // Explictly save the changed ACL
jdbcMutableAclService.updateAcl(topParent); jdbcMutableAclService.updateAcl(topParent);
@ -144,10 +144,8 @@ public class JdbcAclServiceTests extends AbstractTransactionalDataSourceSpringCo
// Check the retrieved rights are correct // Check the retrieved rights are correct
assertTrue(topParent.isGranted(new Permission[] {BasePermission.READ}, new Sid[] {new PrincipalSid(auth)}, false)); assertTrue(topParent.isGranted(new Permission[] {BasePermission.READ}, new Sid[] {new PrincipalSid(auth)}, false));
assertFalse(topParent.isGranted(new Permission[] {BasePermission.WRITE}, new Sid[] {new PrincipalSid(auth)}, assertFalse(topParent.isGranted(new Permission[] {BasePermission.WRITE}, new Sid[] {new PrincipalSid(auth)}, false));
false)); assertTrue(middleParent.isGranted(new Permission[] {BasePermission.DELETE}, new Sid[] {new PrincipalSid(auth)}, false));
assertTrue(middleParent.isGranted(new Permission[] {BasePermission.DELETE}, new Sid[] {new PrincipalSid(auth)},
false));
assertFalse(child.isGranted(new Permission[] {BasePermission.DELETE}, new Sid[] {new PrincipalSid(auth)}, false)); assertFalse(child.isGranted(new Permission[] {BasePermission.DELETE}, new Sid[] {new PrincipalSid(auth)}, false));
try { try {
@ -186,10 +184,10 @@ public class JdbcAclServiceTests extends AbstractTransactionalDataSourceSpringCo
} }
// Let's add an identical permission to the child, but it'll appear AFTER the current permission, so has no impact // Let's add an identical permission to the child, but it'll appear AFTER the current permission, so has no impact
child.insertAce(null, BasePermission.DELETE, new PrincipalSid(auth), true); child.insertAce(1, BasePermission.DELETE, new PrincipalSid(auth), true);
// Let's also add another permission to the child // Let's also add another permission to the child
child.insertAce(null, BasePermission.CREATE, new PrincipalSid(auth), true); child.insertAce(2, BasePermission.CREATE, new PrincipalSid(auth), true);
// Save the changed child // Save the changed child
jdbcMutableAclService.updateAcl(child); jdbcMutableAclService.updateAcl(child);
@ -213,7 +211,7 @@ public class JdbcAclServiceTests extends AbstractTransactionalDataSourceSpringCo
assertNotNull(entry.getId()); assertNotNull(entry.getId());
// Now delete that first ACE // Now delete that first ACE
child.deleteAce(entry.getId()); child.deleteAce(0);
// Save and check it worked // Save and check it worked
child = jdbcMutableAclService.updateAcl(child); child = jdbcMutableAclService.updateAcl(child);

4
samples/contacts/src/main/java/sample/contact/ContactManagerBackend.java
View File

@ -66,7 +66,7 @@ public class ContactManagerBackend extends ApplicationObjectSupport implements C
acl = mutableAclService.createAcl(oid); acl = mutableAclService.createAcl(oid);
} }
acl.insertAce(null, permission, recipient, true); acl.insertAce(acl.getEntries().length, permission, recipient, true);
mutableAclService.updateAcl(acl); mutableAclService.updateAcl(acl);
if (logger.isDebugEnabled()) { if (logger.isDebugEnabled()) {
@ -113,7 +113,7 @@ public class ContactManagerBackend extends ApplicationObjectSupport implements C
for (int i = 0; i < entries.length; i++) { for (int i = 0; i < entries.length; i++) {
if (entries[i].getSid().equals(recipient) && entries[i].getPermission().equals(permission)) { if (entries[i].getSid().equals(recipient) && entries[i].getPermission().equals(permission)) {
acl.deleteAce(entries[i].getId()); acl.deleteAce(i);
} }
} }

2
samples/contacts/src/main/java/sample/contact/DataSourcePopulator.java
View File

@ -243,7 +243,7 @@ public class DataSourcePopulator implements InitializingBean {
private void grantPermissions(int contactNumber, String recipientUsername, Permission permission) { private void grantPermissions(int contactNumber, String recipientUsername, Permission permission) {
AclImpl acl = (AclImpl) mutableAclService.readAclById(new ObjectIdentityImpl(Contact.class, AclImpl acl = (AclImpl) mutableAclService.readAclById(new ObjectIdentityImpl(Contact.class,
new Long(contactNumber))); new Long(contactNumber)));
acl.insertAce(null, permission, new PrincipalSid(recipientUsername), true); acl.insertAce(acl.getEntries().length, permission, new PrincipalSid(recipientUsername), true);
updateAclInTransaction(acl); updateAclInTransaction(acl);
} }

4
samples/dms/src/main/java/sample/dms/secured/SecureDataSourcePopulator.java
View File

@ -76,9 +76,9 @@ public class SecureDataSourcePopulator extends DataSourcePopulator {
// Now we have an ACL, add another ACE to it // Now we have an ACL, add another ACE to it
if (level == LEVEL_NEGATE_READ) { if (level == LEVEL_NEGATE_READ) {
acl.insertAce(null, permission, sid, false); // not granting acl.insertAce(acl.getEntries().length, permission, sid, false); // not granting
} else { } else {
acl.insertAce(null, permission, sid, true); // granting acl.insertAce(acl.getEntries().length, permission, sid, true); // granting
} }
// Finally, persist the modified ACL // Finally, persist the modified ACL

2
samples/dms/src/main/java/sample/dms/secured/SecureDocumentDaoImpl.java
View File

@ -54,7 +54,7 @@ public class SecureDocumentDaoImpl extends DocumentDaoImpl implements SecureDocu
MutableAcl aclParent = (MutableAcl) mutableAclService.readAclById(parentIdentity); MutableAcl aclParent = (MutableAcl) mutableAclService.readAclById(parentIdentity);
acl.setParent(aclParent); acl.setParent(aclParent);
} }
acl.insertAce(null, BasePermission.ADMINISTRATION, new PrincipalSid(SecurityContextHolder.getContext().getAuthentication()), true); acl.insertAce(acl.getEntries().length, BasePermission.ADMINISTRATION, new PrincipalSid(SecurityContextHolder.getContext().getAuthentication()), true);
mutableAclService.updateAcl(acl); mutableAclService.updateAcl(acl);
} }