Added possibility create custom Sid

This commit is contained in:
Mikhail Stryzhonok 2014-06-12 12:50:04 +03:00 committed by Rob Winch
parent fa9e7999da
commit f20219d541
6 changed files with 132 additions and 33 deletions

View File

@ -87,7 +87,7 @@ public class AclAuthorizationStrategyImpl implements AclAuthorizationStrategy {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
// Check if authorized by virtue of ACL ownership // Check if authorized by virtue of ACL ownership
Sid currentUser = new PrincipalSid(authentication); Sid currentUser = createCurrentUser(authentication);
if (currentUser.equals(acl.getOwner()) if (currentUser.equals(acl.getOwner())
&& ((changeType == CHANGE_GENERAL) || (changeType == CHANGE_OWNERSHIP))) { && ((changeType == CHANGE_GENERAL) || (changeType == CHANGE_OWNERSHIP))) {
@ -123,6 +123,17 @@ public class AclAuthorizationStrategyImpl implements AclAuthorizationStrategy {
"Principal does not have required ACL permissions to perform requested operation"); "Principal does not have required ACL permissions to perform requested operation");
} }
/**
* Creates a principal-like sid from the authentication information.
*
* @param authentication the authentication information that can provide principal and thus the sid's id will be
* dependant on the value inside
* @return a sid with the ID taken from the authentication information
*/
protected Sid createCurrentUser(Authentication authentication) {
return new PrincipalSid(authentication);
}
public void setSidRetrievalStrategy(SidRetrievalStrategy sidRetrievalStrategy) { public void setSidRetrievalStrategy(SidRetrievalStrategy sidRetrievalStrategy) {
Assert.notNull(sidRetrievalStrategy, "SidRetrievalStrategy required"); Assert.notNull(sidRetrievalStrategy, "SidRetrievalStrategy required");
this.sidRetrievalStrategy = sidRetrievalStrategy; this.sidRetrievalStrategy = sidRetrievalStrategy;

View File

@ -74,7 +74,7 @@ import org.springframework.util.Assert;
* *
* @author Ben Alex * @author Ben Alex
*/ */
public final class BasicLookupStrategy implements LookupStrategy { public class BasicLookupStrategy implements LookupStrategy {
public final static String DEFAULT_SELECT_CLAUSE = "select acl_object_identity.object_id_identity, " public final static String DEFAULT_SELECT_CLAUSE = "select acl_object_identity.object_id_identity, "
+ "acl_entry.ace_order, " + "acl_entry.ace_order, "
@ -256,7 +256,7 @@ public final class BasicLookupStrategy implements LookupStrategy {
* should not throw {@link NotFoundException}, as a chain of {@link LookupStrategy}s may be used * should not throw {@link NotFoundException}, as a chain of {@link LookupStrategy}s may be used
* to automatically create entries if required) * to automatically create entries if required)
*/ */
public Map<ObjectIdentity, Acl> readAclsById(List<ObjectIdentity> objects, List<Sid> sids) { public final Map<ObjectIdentity, Acl> readAclsById(List<ObjectIdentity> objects, List<Sid> sids) {
Assert.isTrue(batchSize >= 1, "BatchSize must be >= 1"); Assert.isTrue(batchSize >= 1, "BatchSize must be >= 1");
Assert.notEmpty(objects, "Objects to lookup required"); Assert.notEmpty(objects, "Objects to lookup required");
@ -428,17 +428,33 @@ public final class BasicLookupStrategy implements LookupStrategy {
return result; return result;
} }
/**
* Creates a particular implementation of {@link Sid} depending on the arguments.
*
* @param sid the name of the sid representing its unique identifier. In typical ACL database schema it's
* located in table {@code acl_sid} table, {@code sid} column.
* @param isPrincipal whether it's a user or granted authority like role
* @return the instance of Sid with the {@code sidName} as an identifier
*/
protected Sid createSid(boolean isPrincipal, String sid) {
if (isPrincipal) {
return new PrincipalSid(sid);
} else {
return new GrantedAuthoritySid(sid);
}
}
/** /**
* Sets the {@code PermissionFactory} instance which will be used to convert loaded permission * Sets the {@code PermissionFactory} instance which will be used to convert loaded permission
* data values to {@code Permission}s. A {@code DefaultPermissionFactory} will be used by default. * data values to {@code Permission}s. A {@code DefaultPermissionFactory} will be used by default.
* *
* @param permissionFactory * @param permissionFactory
*/ */
public void setPermissionFactory(PermissionFactory permissionFactory) { public final void setPermissionFactory(PermissionFactory permissionFactory) {
this.permissionFactory = permissionFactory; this.permissionFactory = permissionFactory;
} }
public void setBatchSize(int batchSize) { public final void setBatchSize(int batchSize) {
this.batchSize = batchSize; this.batchSize = batchSize;
} }
@ -448,28 +464,28 @@ public final class BasicLookupStrategy implements LookupStrategy {
* *
* @param selectClause the select clause, which defaults to {@link #DEFAULT_SELECT_CLAUSE}. * @param selectClause the select clause, which defaults to {@link #DEFAULT_SELECT_CLAUSE}.
*/ */
public void setSelectClause(String selectClause) { public final void setSelectClause(String selectClause) {
this.selectClause = selectClause; this.selectClause = selectClause;
} }
/** /**
* The SQL for the where clause used in the <tt>lookupPrimaryKey</tt> method. * The SQL for the where clause used in the <tt>lookupPrimaryKey</tt> method.
*/ */
public void setLookupPrimaryKeysWhereClause(String lookupPrimaryKeysWhereClause) { public final void setLookupPrimaryKeysWhereClause(String lookupPrimaryKeysWhereClause) {
this.lookupPrimaryKeysWhereClause = lookupPrimaryKeysWhereClause; this.lookupPrimaryKeysWhereClause = lookupPrimaryKeysWhereClause;
} }
/** /**
* The SQL for the where clause used in the <tt>lookupObjectIdentities</tt> method. * The SQL for the where clause used in the <tt>lookupObjectIdentities</tt> method.
*/ */
public void setLookupObjectIdentitiesWhereClause(String lookupObjectIdentitiesWhereClause) { public final void setLookupObjectIdentitiesWhereClause(String lookupObjectIdentitiesWhereClause) {
this.lookupObjectIdentitiesWhereClause = lookupObjectIdentitiesWhereClause; this.lookupObjectIdentitiesWhereClause = lookupObjectIdentitiesWhereClause;
} }
/** /**
* The SQL for the "order by" clause used in both queries. * The SQL for the "order by" clause used in both queries.
*/ */
public void setOrderByClause(String orderByClause) { public final void setOrderByClause(String orderByClause) {
this.orderByClause = orderByClause; this.orderByClause = orderByClause;
} }
@ -556,13 +572,7 @@ public final class BasicLookupStrategy implements LookupStrategy {
} }
boolean entriesInheriting = rs.getBoolean("entries_inheriting"); boolean entriesInheriting = rs.getBoolean("entries_inheriting");
Sid owner; Sid owner = createSid(rs.getBoolean("acl_principal"), rs.getString("acl_sid"));
if (rs.getBoolean("acl_principal")) {
owner = new PrincipalSid(rs.getString("acl_sid"));
} else {
owner = new GrantedAuthoritySid(rs.getString("acl_sid"));
}
acl = new AclImpl(objectIdentity, id, aclAuthorizationStrategy, grantingStrategy, parentAcl, null, acl = new AclImpl(objectIdentity, id, aclAuthorizationStrategy, grantingStrategy, parentAcl, null,
entriesInheriting, owner); entriesInheriting, owner);
@ -574,13 +584,7 @@ public final class BasicLookupStrategy implements LookupStrategy {
// It is permissible to have no ACEs in an ACL (which is detected by a null ACE_SID) // It is permissible to have no ACEs in an ACL (which is detected by a null ACE_SID)
if (rs.getString("ace_sid") != null) { if (rs.getString("ace_sid") != null) {
Long aceId = new Long(rs.getLong("ace_id")); Long aceId = new Long(rs.getLong("ace_id"));
Sid recipient; Sid recipient = createSid(rs.getBoolean("ace_principal"), rs.getString("ace_sid"));
if (rs.getBoolean("ace_principal")) {
recipient = new PrincipalSid(rs.getString("ace_sid"));
} else {
recipient = new GrantedAuthoritySid(rs.getString("ace_sid"));
}
int mask = rs.getInt("mask"); int mask = rs.getInt("mask");
Permission permission = permissionFactory.buildFromMask(mask); Permission permission = permissionFactory.buildFromMask(mask);

View File

@ -209,6 +209,19 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
throw new IllegalArgumentException("Unsupported implementation of Sid"); throw new IllegalArgumentException("Unsupported implementation of Sid");
} }
return createOrRetrieveSidPrimaryKey(sidName, sidIsPrincipal, allowCreate);
}
/**
* Retrieves the primary key from acl_sid, creating a new row if needed and the allowCreate property is
* true.
* @param sidName name of Sid to find or to create
* @param sidIsPrincipal whether it's a user or granted authority like role
* @param allowCreate true if creation is permitted if not found
* @return the primary key or null if not found
*/
protected Long createOrRetrieveSidPrimaryKey(String sidName, boolean sidIsPrincipal, boolean allowCreate) {
List<Long> sidIds = jdbcTemplate.queryForList(selectSidPrimaryKey, List<Long> sidIds = jdbcTemplate.queryForList(selectSidPrimaryKey,
new Object[] {Boolean.valueOf(sidIsPrincipal), sidName}, Long.class); new Object[] {Boolean.valueOf(sidIsPrincipal), sidName}, Long.class);

View File

@ -9,15 +9,7 @@ import org.springframework.core.io.ClassPathResource;
import org.springframework.core.io.Resource; import org.springframework.core.io.Resource;
import org.springframework.jdbc.core.JdbcTemplate; import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.jdbc.datasource.SingleConnectionDataSource; import org.springframework.jdbc.datasource.SingleConnectionDataSource;
import org.springframework.security.acls.domain.AclAuthorizationStrategy; import org.springframework.security.acls.domain.*;
import org.springframework.security.acls.domain.AclAuthorizationStrategyImpl;
import org.springframework.security.acls.domain.BasePermission;
import org.springframework.security.acls.domain.ConsoleAuditLogger;
import org.springframework.security.acls.domain.DefaultPermissionFactory;
import org.springframework.security.acls.domain.DefaultPermissionGrantingStrategy;
import org.springframework.security.acls.domain.EhCacheBasedAclCache;
import org.springframework.security.acls.domain.ObjectIdentityImpl;
import org.springframework.security.acls.domain.PrincipalSid;
import org.springframework.security.acls.model.Acl; import org.springframework.security.acls.model.Acl;
import org.springframework.security.acls.model.AuditableAccessControlEntry; import org.springframework.security.acls.model.AuditableAccessControlEntry;
import org.springframework.security.acls.model.MutableAcl; import org.springframework.security.acls.model.MutableAcl;
@ -301,4 +293,20 @@ public class BasicLookupStrategyTests {
strategy.readAclsById(Arrays.asList(oid), Arrays.asList(BEN_SID)); strategy.readAclsById(Arrays.asList(oid), Arrays.asList(BEN_SID));
} }
@Test
public void testCreatePrincipalSid() {
Sid result = strategy.createSid(true, "sid");
Assert.assertEquals(PrincipalSid.class, result.getClass());
Assert.assertEquals("sid", ((PrincipalSid)result).getPrincipal());
}
@Test
public void testCreateGrantedAuthority() {
Sid result = strategy.createSid(false, "sid");
Assert.assertEquals(GrantedAuthoritySid.class, result.getClass());
Assert.assertEquals("sid", ((GrantedAuthoritySid)result).getGrantedAuthority());
}
} }

View File

@ -15,6 +15,7 @@
package org.springframework.security.acls.jdbc; package org.springframework.security.acls.jdbc;
import static org.junit.Assert.*; import static org.junit.Assert.*;
import static org.mockito.Mockito.*;
import java.util.Arrays; import java.util.Arrays;
import java.util.List; import java.util.List;
@ -43,6 +44,7 @@ import org.springframework.security.acls.model.NotFoundException;
import org.springframework.security.acls.model.ObjectIdentity; import org.springframework.security.acls.model.ObjectIdentity;
import org.springframework.security.acls.model.Permission; import org.springframework.security.acls.model.Permission;
import org.springframework.security.acls.model.Sid; import org.springframework.security.acls.model.Sid;
import org.springframework.security.acls.sid.CustomSid;
import org.springframework.security.authentication.TestingAuthenticationToken; import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolder;
@ -490,5 +492,42 @@ public class JdbcMutableAclServiceTests extends AbstractTransactionalJUnit4Sprin
SecurityContextHolder.clearContext(); SecurityContextHolder.clearContext();
} }
@Test
public void testProcessingCustomSid() {
CustomJdbcMutableAclService customJdbcMutableAclService = spy(new CustomJdbcMutableAclService(dataSource,
lookupStrategy, aclCache));
CustomSid customSid = new CustomSid("Custom sid");
when(customJdbcMutableAclService.createOrRetrieveSidPrimaryKey("Custom sid", false, false)).thenReturn(1L);
Long result = customJdbcMutableAclService.createOrRetrieveSidPrimaryKey(customSid, false);
assertEquals(result, new Long(1L));
}
/**
* This class needed to show how to extend {@link JdbcMutableAclService} for processing
* custom {@link Sid} implementations
*/
private class CustomJdbcMutableAclService extends JdbcMutableAclService {
private CustomJdbcMutableAclService(DataSource dataSource, LookupStrategy lookupStrategy, AclCache aclCache) {
super(dataSource, lookupStrategy, aclCache);
}
@Override
protected Long createOrRetrieveSidPrimaryKey(Sid sid, boolean allowCreate) {
String sidName;
boolean isPrincipal = false;
if (sid instanceof CustomSid) {
sidName = ((CustomSid)sid).getSid();
} else if (sid instanceof GrantedAuthoritySid) {
sidName = ((GrantedAuthoritySid)sid).getGrantedAuthority();
} else {
sidName = ((PrincipalSid)sid).getPrincipal();
isPrincipal = true;
}
return createOrRetrieveSidPrimaryKey(sidName, isPrincipal, allowCreate);
}
}
} }

View File

@ -0,0 +1,24 @@
package org.springframework.security.acls.sid;
import org.springframework.security.acls.model.Sid;
/**
* This class is example of custom {@link Sid} implementation
* @author Mikhail Stryzhonok
*/
public class CustomSid implements Sid {
private String sid;
public CustomSid(String sid) {
this.sid = sid;
}
public String getSid() {
return sid;
}
public void setSid(String sid) {
this.sid = sid;
}
}