SEC-135: Additional logging of votes in BasicAclEntryVoter.

2006-01-26 10:04:36 +00:00 · 2006-01-26 10:04:36 +00:00 · a7ebe51fc8
parent f4c1b81a9c
commit a7ebe51fc8
1 changed files with 43 additions and 25 deletions
--- a/core/src/main/java/org/acegisecurity/vote/BasicAclEntryVoter.java
+++ b/core/src/main/java/org/acegisecurity/vote/BasicAclEntryVoter.java
@ -1,4 +1,4 @@
-/* Copyright 2004, 2005 Acegi Technology Pty Limited
+/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -19,6 +19,7 @@ import org.acegisecurity.Authentication;
 import org.acegisecurity.AuthorizationServiceException;
 import org.acegisecurity.ConfigAttribute;
 import org.acegisecurity.ConfigAttributeDefinition;
+
 import org.acegisecurity.acl.AclEntry;
 import org.acegisecurity.acl.AclManager;
 import org.acegisecurity.acl.basic.BasicAclEntry;
@ -48,8 +49,7 @@ import java.util.Iterator;
 * <code>Authentication</code> object. This class is designed to process
 * {@link AclEntry}s that are subclasses of {@link
 * org.acegisecurity.acl.basic.BasicAclEntry} only. Generally these are
- * obtained by using the {@link
- * org.acegisecurity.acl.basic.BasicAclProvider}.
+ * obtained by using the {@link org.acegisecurity.acl.basic.BasicAclProvider}.
 * </p>
 * 
 * <p>
@ -139,18 +139,21 @@ public class BasicAclEntryVoter extends AbstractAclVoter

    //~ Methods ================================================================

-    public void setAclManager(AclManager aclManager) {
-        this.aclManager = aclManager;
+    public void afterPropertiesSet() throws Exception {
+        Assert.notNull(processConfigAttribute,
+            "A processConfigAttribute is mandatory");
+        Assert.notNull(aclManager, "An aclManager is mandatory");
+
+        if ((requirePermission == null) || (requirePermission.length == 0)) {
+            throw new IllegalArgumentException(
+                "One or more requirePermission entries is mandatory");
+        }
    }

    public AclManager getAclManager() {
        return aclManager;
    }

-    public void setInternalMethod(String internalMethod) {
-        this.internalMethod = internalMethod;
-    }
-
    /**
     * Optionally specifies a method of the domain object that will be used to
     * obtain a contained domain object. That contained domain object will be
@ -168,31 +171,28 @@ public class BasicAclEntryVoter extends AbstractAclVoter
        return internalMethod;
    }

-    public void setProcessConfigAttribute(String processConfigAttribute) {
-        this.processConfigAttribute = processConfigAttribute;
-    }
-
    public String getProcessConfigAttribute() {
        return processConfigAttribute;
    }

-    public void setRequirePermission(int[] requirePermission) {
-        this.requirePermission = requirePermission;
-    }
-
    public int[] getRequirePermission() {
        return requirePermission;
    }

-    public void afterPropertiesSet() throws Exception {
-        Assert.notNull(processConfigAttribute,
-            "A processConfigAttribute is mandatory");
-        Assert.notNull(aclManager, "An aclManager is mandatory");
+    public void setAclManager(AclManager aclManager) {
+        this.aclManager = aclManager;
+    }

-        if ((requirePermission == null) || (requirePermission.length == 0)) {
-            throw new IllegalArgumentException(
-                "One or more requirePermission entries is mandatory");
-        }
+    public void setInternalMethod(String internalMethod) {
+        this.internalMethod = internalMethod;
+    }
+
+    public void setProcessConfigAttribute(String processConfigAttribute) {
+        this.processConfigAttribute = processConfigAttribute;
+    }
+
+    public void setRequirePermission(int[] requirePermission) {
+        this.requirePermission = requirePermission;
    }

    public boolean supports(ConfigAttribute attribute) {
@ -218,6 +218,10 @@ public class BasicAclEntryVoter extends AbstractAclVoter

                // If domain object is null, vote to abstain
                if (domainObject == null) {
+                    if (logger.isDebugEnabled()) {
+                        logger.debug("Voting to abstain - domainObject is null");
+                    }
+
                    return AccessDecisionVoter.ACCESS_ABSTAIN;
                }

@ -271,6 +275,11 @@ public class BasicAclEntryVoter extends AbstractAclVoter

                // If principal has no permissions for domain object, deny
                if ((acls == null) || (acls.length == 0)) {
+                    if (logger.isDebugEnabled()) {
+                        logger.debug(
+                            "Voting to deny access - no ACLs returned for this principal");
+                    }
+
                    return AccessDecisionVoter.ACCESS_DENIED;
                }

@ -283,6 +292,10 @@ public class BasicAclEntryVoter extends AbstractAclVoter
                        // See if principal has any of the required permissions
                        for (int y = 0; y < requirePermission.length; y++) {
                            if (processableAcl.isPermitted(requirePermission[y])) {
+                                if (logger.isDebugEnabled()) {
+                                    logger.debug("Voting to grant access");
+                                }
+
                                return AccessDecisionVoter.ACCESS_GRANTED;
                            }
                        }
@ -290,6 +303,11 @@ public class BasicAclEntryVoter extends AbstractAclVoter
                }

                // No permissions match
+                if (logger.isDebugEnabled()) {
+                    logger.debug(
+                        "Voting to deny access - ACLs returned, but insufficient permissions for this principal");
+                }
+
                return AccessDecisionVoter.ACCESS_DENIED;
            }
        }