mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-06-01 09:42:13 +00:00
Added a customized checkstyle configuration file to tame the Maven 2 checkstyle report to the extent that it gives some useful infomation. Tidied up comments, excessively long lines, use of tabs etc. to match.
This commit is contained in:
parent
bd2d4b013a
commit
fabca162a7
205
acegi_checkstyle.xml
Normal file
205
acegi_checkstyle.xml
Normal file
@ -0,0 +1,205 @@
|
|||||||
|
<?xml version="1.0"?>
|
||||||
|
<!--
|
||||||
|
/*
|
||||||
|
* Copyright 2001-2004 The Apache Software Foundation.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
-->
|
||||||
|
|
||||||
|
<!DOCTYPE module PUBLIC
|
||||||
|
"-//Puppy Crawl//DTD Check Configuration 1.2//EN"
|
||||||
|
"http://www.puppycrawl.com/dtds/configuration_1_2.dtd">
|
||||||
|
|
||||||
|
<!--
|
||||||
|
|
||||||
|
Checkstyle is very configurable. Be sure to read the documentation at
|
||||||
|
http://checkstyle.sf.net (or in your downloaded distribution).
|
||||||
|
|
||||||
|
Most Checks are configurable, be sure to consult the documentation.
|
||||||
|
|
||||||
|
To completely disable a check, just comment it out or delete it from the file.
|
||||||
|
|
||||||
|
Finally, it is worth reading the documentation.
|
||||||
|
|
||||||
|
-->
|
||||||
|
|
||||||
|
<module name="Checker">
|
||||||
|
|
||||||
|
<!-- Checks that a package.html file exists for each package. -->
|
||||||
|
<!-- See http://checkstyle.sf.net/config_javadoc.html#PackageHtml -->
|
||||||
|
<!-- module name="PackageHtml"/ -->
|
||||||
|
|
||||||
|
<!-- Checks whether files end with a new line. -->
|
||||||
|
<!-- See http://checkstyle.sf.net/config_misc.html#NewlineAtEndOfFile -->
|
||||||
|
<module name="NewlineAtEndOfFile"/>
|
||||||
|
|
||||||
|
<!-- Checks that property files contain the same keys. -->
|
||||||
|
<!-- See http://checkstyle.sf.net/config_misc.html#Translation -->
|
||||||
|
<module name="Translation"/>
|
||||||
|
|
||||||
|
|
||||||
|
<module name="TreeWalker">
|
||||||
|
|
||||||
|
<property name="cacheFile" value="${checkstyle.cache.file}"/>
|
||||||
|
|
||||||
|
<!-- Checks for Javadoc comments. -->
|
||||||
|
<!-- See http://checkstyle.sf.net/config_javadoc.html -->
|
||||||
|
<!--
|
||||||
|
<module name="JavadocMethod"/>
|
||||||
|
<module name="JavadocType"/>
|
||||||
|
<module name="JavadocVariable"/>
|
||||||
|
<module name="JavadocStyle"/>
|
||||||
|
-->
|
||||||
|
|
||||||
|
<!-- Checks for Naming Conventions. -->
|
||||||
|
<!-- See http://checkstyle.sf.net/config_naming.html -->
|
||||||
|
<module name="ConstantName">
|
||||||
|
<!-- logger variables break normal constant syntax. We need to allow lower case too -->
|
||||||
|
<property name="format" value="^[a-zA-Z][a-zA-Z0-9]*(_[A-Z0-9]+)*$"/>
|
||||||
|
</module>
|
||||||
|
<module name="LocalFinalVariableName"/>
|
||||||
|
<module name="LocalVariableName"/>
|
||||||
|
<module name="MemberName"/>
|
||||||
|
<module name="MethodName"/>
|
||||||
|
<module name="PackageName"/>
|
||||||
|
<module name="ParameterName"/>
|
||||||
|
<module name="StaticVariableName"/>
|
||||||
|
<module name="TypeName"/>
|
||||||
|
|
||||||
|
|
||||||
|
<!-- Checks for Headers -->
|
||||||
|
<!-- See http://checkstyle.sf.net/config_header.html -->
|
||||||
|
<!-- <module name="Header"> -->
|
||||||
|
<!-- The follow property value demonstrates the ability -->
|
||||||
|
<!-- to have access to ANT properties. In this case it uses -->
|
||||||
|
<!-- the ${basedir} property to allow Checkstyle to be run -->
|
||||||
|
<!-- from any directory within a project. See property -->
|
||||||
|
<!-- expansion, -->
|
||||||
|
<!-- http://checkstyle.sf.net/config.html#properties -->
|
||||||
|
<!-- <property -->
|
||||||
|
<!-- name="headerFile" -->
|
||||||
|
<!-- value="${basedir}/java.header"/> -->
|
||||||
|
<!-- </module> -->
|
||||||
|
|
||||||
|
<!-- Following interprets the header file as regular expressions. -->
|
||||||
|
<!-- <module name="RegexpHeader"/> -->
|
||||||
|
|
||||||
|
|
||||||
|
<!-- Checks for imports -->
|
||||||
|
<!-- See http://checkstyle.sf.net/config_imports.html -->
|
||||||
|
<module name="AvoidStarImport">
|
||||||
|
<property name="excludes" value="javax.servlet,java.util"/>
|
||||||
|
</module>
|
||||||
|
<module name="IllegalImport"/> <!-- defaults to sun.* packages -->
|
||||||
|
<module name="RedundantImport"/>
|
||||||
|
<!--module name="UnusedImports"/ -->
|
||||||
|
|
||||||
|
|
||||||
|
<!-- Checks for Size Violations. -->
|
||||||
|
<!-- See http://checkstyle.sf.net/config_sizes.html -->
|
||||||
|
<module name="FileLength"/>
|
||||||
|
<module name="LineLength">
|
||||||
|
<property name="max" value="125"/>
|
||||||
|
</module>
|
||||||
|
<module name="MethodLength"/>
|
||||||
|
<module name="ParameterNumber"/>
|
||||||
|
|
||||||
|
|
||||||
|
<!-- Checks for whitespace -->
|
||||||
|
<!-- See http://checkstyle.sf.net/config_whitespace.html -->
|
||||||
|
<module name="EmptyForIteratorPad"/>
|
||||||
|
<module name="MethodParamPad"/>
|
||||||
|
<module name="NoWhitespaceAfter"/>
|
||||||
|
<module name="NoWhitespaceBefore"/>
|
||||||
|
<module name="OperatorWrap"/>
|
||||||
|
<module name="ParenPad"/>
|
||||||
|
<module name="TypecastParenPad"/>
|
||||||
|
<module name="TabCharacter"/>
|
||||||
|
<module name="WhitespaceAfter"/>
|
||||||
|
<!--
|
||||||
|
<module name="WhitespaceAround">
|
||||||
|
<property name="allowEmptyMethods" value="true"/>
|
||||||
|
<property name="allowEmptyConstructors" value="true"/>
|
||||||
|
</module>
|
||||||
|
-->
|
||||||
|
|
||||||
|
<!-- Modifier Checks -->
|
||||||
|
<!-- See http://checkstyle.sf.net/config_modifiers.html -->
|
||||||
|
<module name="ModifierOrder"/>
|
||||||
|
<module name="RedundantModifier"/>
|
||||||
|
|
||||||
|
|
||||||
|
<!-- Checks for blocks. You know, those {}'s -->
|
||||||
|
<!-- See http://checkstyle.sf.net/config_blocks.html -->
|
||||||
|
<module name="AvoidNestedBlocks"/>
|
||||||
|
<!-- module name="EmptyBlock"/ -->
|
||||||
|
<module name="LeftCurly"/>
|
||||||
|
<module name="NeedBraces"/>
|
||||||
|
<module name="RightCurly"/>
|
||||||
|
|
||||||
|
|
||||||
|
<!-- Checks for common coding problems -->
|
||||||
|
<!-- See http://checkstyle.sf.net/config_coding.html -->
|
||||||
|
<!-- module name="AvoidInlineConditionals"/ -->
|
||||||
|
<module name="DoubleCheckedLocking"/> <!-- MY FAVOURITE -->
|
||||||
|
<module name="EmptyStatement"/>
|
||||||
|
<!-- module name="EqualsHashCode"/ -->
|
||||||
|
<!--
|
||||||
|
<module name="HiddenField">
|
||||||
|
<property name="ignoreConstructorParameter" value="true"/>
|
||||||
|
<property name="ignoreSetter" value="true"/>
|
||||||
|
</module>
|
||||||
|
-->
|
||||||
|
<module name="IllegalInstantiation"/>
|
||||||
|
<module name="InnerAssignment"/>
|
||||||
|
<!-- module name="MagicNumber"/ -->
|
||||||
|
<module name="MissingSwitchDefault"/>
|
||||||
|
<!--
|
||||||
|
<module name="RedundantThrows">
|
||||||
|
<property name="allowUnchecked" value="true"/>
|
||||||
|
</module>
|
||||||
|
-->
|
||||||
|
<!--
|
||||||
|
<module name="SimplifyBooleanExpression"/>
|
||||||
|
<module name="SimplifyBooleanReturn"/>
|
||||||
|
-->
|
||||||
|
<!-- Checks for class design -->
|
||||||
|
<!-- See http://checkstyle.sf.net/config_design.html -->
|
||||||
|
<!-- module name="DesignForExtension"/ -->
|
||||||
|
<module name="FinalClass"/>
|
||||||
|
<module name="HideUtilityClassConstructor"/>
|
||||||
|
<module name="InterfaceIsType"/>
|
||||||
|
<module name="VisibilityModifier">
|
||||||
|
<!-- logger variables are often protected -->
|
||||||
|
<property name="protectedAllowed" value="true"/>
|
||||||
|
</module>
|
||||||
|
|
||||||
|
|
||||||
|
<!-- Miscellaneous other checks. -->
|
||||||
|
<!-- See http://checkstyle.sf.net/config_misc.html -->
|
||||||
|
<module name="ArrayTypeStyle"/>
|
||||||
|
<!-- module name="FinalParameters"/ -->
|
||||||
|
<!--
|
||||||
|
<module name="GenericIllegalRegexp">
|
||||||
|
<property name="format" value="\s+$"/>
|
||||||
|
<property name="message" value="Line has trailing spaces."/>
|
||||||
|
</module>
|
||||||
|
-->
|
||||||
|
<!-- module name="TrailingComment"/ -->
|
||||||
|
<!-- module name="TodoComment"/ -->
|
||||||
|
<module name="UpperEll"/>
|
||||||
|
|
||||||
|
</module>
|
||||||
|
|
||||||
|
</module>
|
@ -36,7 +36,7 @@ public interface AccessDecisionManager {
|
|||||||
* @throws InsufficientAuthenticationException if access is denied as the authentication does not provide a
|
* @throws InsufficientAuthenticationException if access is denied as the authentication does not provide a
|
||||||
* sufficient level of trust
|
* sufficient level of trust
|
||||||
*/
|
*/
|
||||||
public void decide(Authentication authentication, Object object, ConfigAttributeDefinition config)
|
void decide(Authentication authentication, Object object, ConfigAttributeDefinition config)
|
||||||
throws AccessDeniedException, InsufficientAuthenticationException;
|
throws AccessDeniedException, InsufficientAuthenticationException;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -51,7 +51,7 @@ public interface AccessDecisionManager {
|
|||||||
*
|
*
|
||||||
* @return true if this <code>AccessDecisionManager</code> can support the passed configuration attribute
|
* @return true if this <code>AccessDecisionManager</code> can support the passed configuration attribute
|
||||||
*/
|
*/
|
||||||
public boolean supports(ConfigAttribute attribute);
|
boolean supports(ConfigAttribute attribute);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Indicates whether the <code>AccessDecisionManager</code> implementation is able to provide access
|
* Indicates whether the <code>AccessDecisionManager</code> implementation is able to provide access
|
||||||
@ -61,5 +61,5 @@ public interface AccessDecisionManager {
|
|||||||
*
|
*
|
||||||
* @return <code>true</code> if the implementation can process the indicated class
|
* @return <code>true</code> if the implementation can process the indicated class
|
||||||
*/
|
*/
|
||||||
public boolean supports(Class clazz);
|
boolean supports(Class clazz);
|
||||||
}
|
}
|
||||||
|
@ -19,7 +19,7 @@ package org.acegisecurity;
|
|||||||
* Reviews the <code>Object</code> returned from a secure object invocation,
|
* Reviews the <code>Object</code> returned from a secure object invocation,
|
||||||
* being able to modify the <code>Object</code> or throw an {@link
|
* being able to modify the <code>Object</code> or throw an {@link
|
||||||
* AccessDeniedException}.
|
* AccessDeniedException}.
|
||||||
*
|
*
|
||||||
* <p>
|
* <p>
|
||||||
* Typically used to ensure the principal is permitted to access the domain
|
* Typically used to ensure the principal is permitted to access the domain
|
||||||
* object instance returned by a service layer bean. Can also be used to
|
* object instance returned by a service layer bean. Can also be used to
|
||||||
@ -28,7 +28,7 @@ package org.acegisecurity;
|
|||||||
* in conjunction with an {@link org.acegisecurity.acl.AclManager} to
|
* in conjunction with an {@link org.acegisecurity.acl.AclManager} to
|
||||||
* obtain the access control list applicable for the domain object instance.
|
* obtain the access control list applicable for the domain object instance.
|
||||||
* </p>
|
* </p>
|
||||||
*
|
*
|
||||||
* <p>
|
* <p>
|
||||||
* Special consideration should be given to using an
|
* Special consideration should be given to using an
|
||||||
* <code>AfterInvocationManager</code> on bean methods that modify a database.
|
* <code>AfterInvocationManager</code> on bean methods that modify a database.
|
||||||
@ -60,7 +60,7 @@ public interface AfterInvocationManager {
|
|||||||
*
|
*
|
||||||
* @throws AccessDeniedException if access is denied
|
* @throws AccessDeniedException if access is denied
|
||||||
*/
|
*/
|
||||||
public Object decide(Authentication authentication, Object object, ConfigAttributeDefinition config,
|
Object decide(Authentication authentication, Object object, ConfigAttributeDefinition config,
|
||||||
Object returnedObject) throws AccessDeniedException;
|
Object returnedObject) throws AccessDeniedException;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -75,7 +75,7 @@ public interface AfterInvocationManager {
|
|||||||
*
|
*
|
||||||
* @return true if this <code>AfterInvocationManager</code> can support the passed configuration attribute
|
* @return true if this <code>AfterInvocationManager</code> can support the passed configuration attribute
|
||||||
*/
|
*/
|
||||||
public boolean supports(ConfigAttribute attribute);
|
boolean supports(ConfigAttribute attribute);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Indicates whether the <code>AfterInvocationManager</code> implementation is able to provide access
|
* Indicates whether the <code>AfterInvocationManager</code> implementation is able to provide access
|
||||||
@ -85,5 +85,5 @@ public interface AfterInvocationManager {
|
|||||||
*
|
*
|
||||||
* @return <code>true</code> if the implementation can process the indicated class
|
* @return <code>true</code> if the implementation can process the indicated class
|
||||||
*/
|
*/
|
||||||
public boolean supports(Class clazz);
|
boolean supports(Class clazz);
|
||||||
}
|
}
|
||||||
|
@ -22,12 +22,12 @@ import java.security.Principal;
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* Represents an authentication request.
|
* Represents an authentication request.
|
||||||
*
|
*
|
||||||
* <p>
|
* <p>
|
||||||
* An <code>Authentication</code> object is not considered authenticated until
|
* An <code>Authentication</code> object is not considered authenticated until
|
||||||
* it is processed by an {@link AuthenticationManager}.
|
* it is processed by an {@link AuthenticationManager}.
|
||||||
* </p>
|
* </p>
|
||||||
*
|
*
|
||||||
* <p>
|
* <p>
|
||||||
* Stored in a request {@link org.acegisecurity.context.SecurityContext}.
|
* Stored in a request {@link org.acegisecurity.context.SecurityContext}.
|
||||||
* </p>
|
* </p>
|
||||||
@ -46,7 +46,7 @@ public interface Authentication extends Principal, Serializable {
|
|||||||
*
|
*
|
||||||
* @return the authorities granted to the principal, or <code>null</code> if authentication has not been completed
|
* @return the authorities granted to the principal, or <code>null</code> if authentication has not been completed
|
||||||
*/
|
*/
|
||||||
public GrantedAuthority[] getAuthorities();
|
GrantedAuthority[] getAuthorities();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* The credentials that prove the principal is correct. This is usually a password, but could be anything
|
* The credentials that prove the principal is correct. This is usually a password, but could be anything
|
||||||
@ -54,7 +54,7 @@ public interface Authentication extends Principal, Serializable {
|
|||||||
*
|
*
|
||||||
* @return the credentials that prove the identity of the <code>Principal</code>
|
* @return the credentials that prove the identity of the <code>Principal</code>
|
||||||
*/
|
*/
|
||||||
public Object getCredentials();
|
Object getCredentials();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Stores additional details about the authentication request. These might be an IP address, certificate
|
* Stores additional details about the authentication request. These might be an IP address, certificate
|
||||||
@ -62,7 +62,7 @@ public interface Authentication extends Principal, Serializable {
|
|||||||
*
|
*
|
||||||
* @return additional details about the authentication request, or <code>null</code> if not used
|
* @return additional details about the authentication request, or <code>null</code> if not used
|
||||||
*/
|
*/
|
||||||
public Object getDetails();
|
Object getDetails();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* The identity of the principal being authenticated. This is usually a username. Callers are expected to
|
* The identity of the principal being authenticated. This is usually a username. Callers are expected to
|
||||||
@ -70,7 +70,7 @@ public interface Authentication extends Principal, Serializable {
|
|||||||
*
|
*
|
||||||
* @return the <code>Principal</code> being authenticated
|
* @return the <code>Principal</code> being authenticated
|
||||||
*/
|
*/
|
||||||
public Object getPrincipal();
|
Object getPrincipal();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Used to indicate to <code>AbstractSecurityInterceptor</code> whether it should present the
|
* Used to indicate to <code>AbstractSecurityInterceptor</code> whether it should present the
|
||||||
@ -85,7 +85,7 @@ public interface Authentication extends Principal, Serializable {
|
|||||||
* @return true if the token has been authenticated and the <code>AbstractSecurityInterceptor</code> does not need
|
* @return true if the token has been authenticated and the <code>AbstractSecurityInterceptor</code> does not need
|
||||||
* to represent the token for re-authentication to the <code>AuthenticationManager</code>
|
* to represent the token for re-authentication to the <code>AuthenticationManager</code>
|
||||||
*/
|
*/
|
||||||
public boolean isAuthenticated();
|
boolean isAuthenticated();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* See {@link #isAuthenticated()} for a full description.<p>Implementations should <b>always</b> allow this
|
* See {@link #isAuthenticated()} for a full description.<p>Implementations should <b>always</b> allow this
|
||||||
@ -101,6 +101,6 @@ public interface Authentication extends Principal, Serializable {
|
|||||||
* <code>true</code> as the argument) is rejected due to the implementation being immutable or
|
* <code>true</code> as the argument) is rejected due to the implementation being immutable or
|
||||||
* implementing its own alternative approach to {@link #isAuthenticated()}
|
* implementing its own alternative approach to {@link #isAuthenticated()}
|
||||||
*/
|
*/
|
||||||
public void setAuthenticated(boolean isAuthenticated)
|
void setAuthenticated(boolean isAuthenticated)
|
||||||
throws IllegalArgumentException;
|
throws IllegalArgumentException;
|
||||||
}
|
}
|
||||||
|
@ -44,6 +44,6 @@ public interface AuthenticationManager {
|
|||||||
*
|
*
|
||||||
* @throws AuthenticationException if authentication fails
|
* @throws AuthenticationException if authentication fails
|
||||||
*/
|
*/
|
||||||
public Authentication authenticate(Authentication authentication)
|
Authentication authenticate(Authentication authentication)
|
||||||
throws AuthenticationException;
|
throws AuthenticationException;
|
||||||
}
|
}
|
||||||
|
@ -37,7 +37,7 @@ public interface AuthenticationTrustResolver {
|
|||||||
* @return <code>true</code> the passed authentication token represented an anonymous principal, <code>false</code>
|
* @return <code>true</code> the passed authentication token represented an anonymous principal, <code>false</code>
|
||||||
* otherwise
|
* otherwise
|
||||||
*/
|
*/
|
||||||
public boolean isAnonymous(Authentication authentication);
|
boolean isAnonymous(Authentication authentication);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Indicates whether the passed <code>Authentication</code> token represents user that has been remembered
|
* Indicates whether the passed <code>Authentication</code> token represents user that has been remembered
|
||||||
@ -52,5 +52,5 @@ public interface AuthenticationTrustResolver {
|
|||||||
* @return <code>true</code> the passed authentication token represented a principal authenticated using a
|
* @return <code>true</code> the passed authentication token represented a principal authenticated using a
|
||||||
* remember-me token, <code>false</code> otherwise
|
* remember-me token, <code>false</code> otherwise
|
||||||
*/
|
*/
|
||||||
public boolean isRememberMe(Authentication authentication);
|
boolean isRememberMe(Authentication authentication);
|
||||||
}
|
}
|
||||||
|
@ -20,7 +20,7 @@ import java.io.Serializable;
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* Stores a security system related configuration attribute.
|
* Stores a security system related configuration attribute.
|
||||||
*
|
*
|
||||||
* <p>
|
* <p>
|
||||||
* When an {@link org.acegisecurity.intercept.AbstractSecurityInterceptor}
|
* When an {@link org.acegisecurity.intercept.AbstractSecurityInterceptor}
|
||||||
* is setup, a list of configuration attributes is defined for secure object
|
* is setup, a list of configuration attributes is defined for secure object
|
||||||
@ -28,7 +28,7 @@ import java.io.Serializable;
|
|||||||
* RunAsManager}, {@link AccessDecisionManager} or
|
* RunAsManager}, {@link AccessDecisionManager} or
|
||||||
* <code>AccessDecisionManager</code> delegate.
|
* <code>AccessDecisionManager</code> delegate.
|
||||||
* </p>
|
* </p>
|
||||||
*
|
*
|
||||||
* <P>
|
* <P>
|
||||||
* Stored at runtime with other <code>ConfigAttribute</code>s for the same
|
* Stored at runtime with other <code>ConfigAttribute</code>s for the same
|
||||||
* secure object target within a {@link ConfigAttributeDefinition}.
|
* secure object target within a {@link ConfigAttributeDefinition}.
|
||||||
@ -52,5 +52,5 @@ public interface ConfigAttribute extends Serializable {
|
|||||||
* @return a representation of the configuration attribute (or <code>null</code> if the configuration attribute
|
* @return a representation of the configuration attribute (or <code>null</code> if the configuration attribute
|
||||||
* cannot be expressed as a <code>String</code> with sufficient precision).
|
* cannot be expressed as a <code>String</code> with sufficient precision).
|
||||||
*/
|
*/
|
||||||
public String getAttribute();
|
String getAttribute();
|
||||||
}
|
}
|
||||||
|
@ -19,7 +19,7 @@ import java.io.Serializable;
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* Represents an authority granted to an {@link Authentication} object.
|
* Represents an authority granted to an {@link Authentication} object.
|
||||||
*
|
*
|
||||||
* <p>
|
* <p>
|
||||||
* A <code>GrantedAuthority</code> must either represent itself as a
|
* A <code>GrantedAuthority</code> must either represent itself as a
|
||||||
* <code>String</code> or be specifically supported by an {@link
|
* <code>String</code> or be specifically supported by an {@link
|
||||||
@ -44,5 +44,5 @@ public interface GrantedAuthority extends Serializable {
|
|||||||
* @return a representation of the granted authority (or <code>null</code> if the granted authority cannot be
|
* @return a representation of the granted authority (or <code>null</code> if the granted authority cannot be
|
||||||
* expressed as a <code>String</code> with sufficient precision).
|
* expressed as a <code>String</code> with sufficient precision).
|
||||||
*/
|
*/
|
||||||
public String getAuthority();
|
String getAuthority();
|
||||||
}
|
}
|
||||||
|
@ -28,7 +28,7 @@ import java.io.Serializable;
|
|||||||
public class GrantedAuthorityImpl implements GrantedAuthority, Serializable {
|
public class GrantedAuthorityImpl implements GrantedAuthority, Serializable {
|
||||||
//~ Instance fields ================================================================================================
|
//~ Instance fields ================================================================================================
|
||||||
|
|
||||||
private static final long serialVersionUID = 1L;
|
private static final long serialVersionUID = 1L;
|
||||||
private String role;
|
private String role;
|
||||||
|
|
||||||
//~ Constructors ===================================================================================================
|
//~ Constructors ===================================================================================================
|
||||||
|
@ -18,7 +18,7 @@ package org.acegisecurity;
|
|||||||
/**
|
/**
|
||||||
* Creates a new temporary {@link Authentication} object for the current secure
|
* Creates a new temporary {@link Authentication} object for the current secure
|
||||||
* object invocation only.
|
* object invocation only.
|
||||||
*
|
*
|
||||||
* <p>
|
* <p>
|
||||||
* This interface permits implementations to replace the
|
* This interface permits implementations to replace the
|
||||||
* <code>Authentication</code> object that applies to the current secure
|
* <code>Authentication</code> object that applies to the current secure
|
||||||
@ -29,7 +29,7 @@ package org.acegisecurity;
|
|||||||
* for the duration of the secure object callback only, returning it to
|
* for the duration of the secure object callback only, returning it to
|
||||||
* the original <code>Authentication</code> object when the callback ends.
|
* the original <code>Authentication</code> object when the callback ends.
|
||||||
* </p>
|
* </p>
|
||||||
*
|
*
|
||||||
* <p>
|
* <p>
|
||||||
* This is provided so that systems with two layers of objects can be
|
* This is provided so that systems with two layers of objects can be
|
||||||
* established. One layer is public facing and has normal secure methods with
|
* established. One layer is public facing and has normal secure methods with
|
||||||
@ -43,7 +43,7 @@ package org.acegisecurity;
|
|||||||
* <code>RunAsManager</code> interface provides a mechanism to elevate
|
* <code>RunAsManager</code> interface provides a mechanism to elevate
|
||||||
* security in this manner.
|
* security in this manner.
|
||||||
* </p>
|
* </p>
|
||||||
*
|
*
|
||||||
* <p>
|
* <p>
|
||||||
* It is expected implementations will provide a corresponding concrete
|
* It is expected implementations will provide a corresponding concrete
|
||||||
* <code>Authentication</code> and <code>AuthenticationProvider</code> so that
|
* <code>Authentication</code> and <code>AuthenticationProvider</code> so that
|
||||||
@ -71,7 +71,7 @@ public interface RunAsManager {
|
|||||||
* @return a replacement object to be used for duration of the secure object invocation, or <code>null</code> if
|
* @return a replacement object to be used for duration of the secure object invocation, or <code>null</code> if
|
||||||
* the <code>Authentication</code> should be left as is
|
* the <code>Authentication</code> should be left as is
|
||||||
*/
|
*/
|
||||||
public Authentication buildRunAs(Authentication authentication, Object object, ConfigAttributeDefinition config);
|
Authentication buildRunAs(Authentication authentication, Object object, ConfigAttributeDefinition config);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Indicates whether this <code>RunAsManager</code> is able to process the passed
|
* Indicates whether this <code>RunAsManager</code> is able to process the passed
|
||||||
@ -84,7 +84,7 @@ public interface RunAsManager {
|
|||||||
*
|
*
|
||||||
* @return <code>true</code> if this <code>RunAsManager</code> can support the passed configuration attribute
|
* @return <code>true</code> if this <code>RunAsManager</code> can support the passed configuration attribute
|
||||||
*/
|
*/
|
||||||
public boolean supports(ConfigAttribute attribute);
|
boolean supports(ConfigAttribute attribute);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Indicates whether the <code>RunAsManager</code> implementation is able to provide run-as replacement for
|
* Indicates whether the <code>RunAsManager</code> implementation is able to provide run-as replacement for
|
||||||
@ -94,5 +94,5 @@ public interface RunAsManager {
|
|||||||
*
|
*
|
||||||
* @return true if the implementation can process the indicated class
|
* @return true if the implementation can process the indicated class
|
||||||
*/
|
*/
|
||||||
public boolean supports(Class clazz);
|
boolean supports(Class clazz);
|
||||||
}
|
}
|
||||||
|
@ -21,7 +21,7 @@ import java.io.Serializable;
|
|||||||
/**
|
/**
|
||||||
* Marker interface representing an access control list entry associated with a
|
* Marker interface representing an access control list entry associated with a
|
||||||
* specific domain object instance.
|
* specific domain object instance.
|
||||||
*
|
*
|
||||||
* @author Ben Alex
|
* @author Ben Alex
|
||||||
* @version $Id$
|
* @version $Id$
|
||||||
*/
|
*/
|
||||||
|
@ -35,7 +35,7 @@ public interface AclManager {
|
|||||||
*
|
*
|
||||||
* @return the ACLs that apply, or <code>null</code> if no ACLs apply to the specified domain instance
|
* @return the ACLs that apply, or <code>null</code> if no ACLs apply to the specified domain instance
|
||||||
*/
|
*/
|
||||||
public AclEntry[] getAcls(Object domainInstance);
|
AclEntry[] getAcls(Object domainInstance);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Obtains the ACLs that apply to the specified domain instance, but only including those ACLs which have
|
* Obtains the ACLs that apply to the specified domain instance, but only including those ACLs which have
|
||||||
@ -47,5 +47,5 @@ public interface AclManager {
|
|||||||
* @return only those ACLs applying to the domain instance that have been granted to the principal (or
|
* @return only those ACLs applying to the domain instance that have been granted to the principal (or
|
||||||
* <code>null</code>) if no such ACLs are found
|
* <code>null</code>) if no such ACLs are found
|
||||||
*/
|
*/
|
||||||
public AclEntry[] getAcls(Object domainInstance, Authentication authentication);
|
AclEntry[] getAcls(Object domainInstance, Authentication authentication);
|
||||||
}
|
}
|
||||||
|
@ -21,7 +21,7 @@ import org.acegisecurity.Authentication;
|
|||||||
/**
|
/**
|
||||||
* Indicates a class can process a given domain object instance and
|
* Indicates a class can process a given domain object instance and
|
||||||
* authoritatively return the ACLs that apply.
|
* authoritatively return the ACLs that apply.
|
||||||
*
|
*
|
||||||
* <P>
|
* <P>
|
||||||
* Implementations are typically called from the {@link AclProviderManager}.
|
* Implementations are typically called from the {@link AclProviderManager}.
|
||||||
* </p>
|
* </p>
|
||||||
@ -40,7 +40,7 @@ public interface AclProvider {
|
|||||||
*
|
*
|
||||||
* @return the ACLs that apply, or <code>null</code> if no ACLs apply to the specified domain instance
|
* @return the ACLs that apply, or <code>null</code> if no ACLs apply to the specified domain instance
|
||||||
*/
|
*/
|
||||||
public AclEntry[] getAcls(Object domainInstance);
|
AclEntry[] getAcls(Object domainInstance);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Obtains the ACLs that apply to the specified domain instance and presented <code>Authentication</code>
|
* Obtains the ACLs that apply to the specified domain instance and presented <code>Authentication</code>
|
||||||
@ -52,7 +52,7 @@ public interface AclProvider {
|
|||||||
* @return only those ACLs applying to the domain instance that have been granted to the principal (or
|
* @return only those ACLs applying to the domain instance that have been granted to the principal (or
|
||||||
* <code>null</code>) if no such ACLs are found
|
* <code>null</code>) if no such ACLs are found
|
||||||
*/
|
*/
|
||||||
public AclEntry[] getAcls(Object domainInstance, Authentication authentication);
|
AclEntry[] getAcls(Object domainInstance, Authentication authentication);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Indicates whether this <code>AclProvider</code> can authoritatively return ACL information for the
|
* Indicates whether this <code>AclProvider</code> can authoritatively return ACL information for the
|
||||||
@ -63,5 +63,5 @@ public interface AclProvider {
|
|||||||
* @return <code>true</code> if this provider is authoritative for the specified domain object instance,
|
* @return <code>true</code> if this provider is authoritative for the specified domain object instance,
|
||||||
* <code>false</code> otherwise
|
* <code>false</code> otherwise
|
||||||
*/
|
*/
|
||||||
public boolean supports(Object domainInstance);
|
boolean supports(Object domainInstance);
|
||||||
}
|
}
|
||||||
|
@ -20,7 +20,7 @@ import java.io.Serializable;
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* Interface representing the identity of an individual domain object instance.
|
* Interface representing the identity of an individual domain object instance.
|
||||||
*
|
*
|
||||||
* <P>
|
* <P>
|
||||||
* It should be noted that <code>AclObjectIdentity</code> instances are created
|
* It should be noted that <code>AclObjectIdentity</code> instances are created
|
||||||
* in various locations throughout the package. As
|
* in various locations throughout the package. As
|
||||||
@ -31,7 +31,7 @@ import java.io.Serializable;
|
|||||||
* <code>identity1.equals(identity2)</code>, rather than reference-equality of
|
* <code>identity1.equals(identity2)</code>, rather than reference-equality of
|
||||||
* <code>identity1==identity2</code>.
|
* <code>identity1==identity2</code>.
|
||||||
* </p>
|
* </p>
|
||||||
*
|
*
|
||||||
* <P>
|
* <P>
|
||||||
* In practical terms this means you must implement the standard
|
* In practical terms this means you must implement the standard
|
||||||
* <code>java.lang.Object</code> methods shown below. Depending on your
|
* <code>java.lang.Object</code> methods shown below. Depending on your
|
||||||
@ -53,12 +53,12 @@ public interface AclObjectIdentity extends Serializable {
|
|||||||
*
|
*
|
||||||
* @return <code>true</code> if the objects are equal, <code>false</code> otherwise
|
* @return <code>true</code> if the objects are equal, <code>false</code> otherwise
|
||||||
*/
|
*/
|
||||||
public boolean equals(Object obj);
|
boolean equals(Object obj);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Refer to the <code>java.lang.Object</code> documentation for the interface contract.
|
* Refer to the <code>java.lang.Object</code> documentation for the interface contract.
|
||||||
*
|
*
|
||||||
* @return a hash code representation of this object
|
* @return a hash code representation of this object
|
||||||
*/
|
*/
|
||||||
public int hashCode();
|
int hashCode();
|
||||||
}
|
}
|
||||||
|
@ -18,7 +18,7 @@ package org.acegisecurity.acl.basic;
|
|||||||
/**
|
/**
|
||||||
* Indicates a domain object instance is able to provide {@link
|
* Indicates a domain object instance is able to provide {@link
|
||||||
* AclObjectIdentity} information.
|
* AclObjectIdentity} information.
|
||||||
*
|
*
|
||||||
* <P>
|
* <P>
|
||||||
* Domain objects must implement this interface if they wish to provide an
|
* Domain objects must implement this interface if they wish to provide an
|
||||||
* <code>AclObjectIdentity</code> rather than it being determined by relying
|
* <code>AclObjectIdentity</code> rather than it being determined by relying
|
||||||
@ -37,5 +37,5 @@ public interface AclObjectIdentityAware {
|
|||||||
*
|
*
|
||||||
* @return the ACL object identity for this instance (can never be <code>null</code>)
|
* @return the ACL object identity for this instance (can never be <code>null</code>)
|
||||||
*/
|
*/
|
||||||
public AclObjectIdentity getAclObjectIdentity();
|
AclObjectIdentity getAclObjectIdentity();
|
||||||
}
|
}
|
||||||
|
@ -18,13 +18,13 @@ package org.acegisecurity.acl.basic;
|
|||||||
/**
|
/**
|
||||||
* Represents a data access object that can return the {@link BasicAclEntry}s
|
* Represents a data access object that can return the {@link BasicAclEntry}s
|
||||||
* applying to a given ACL object identity.
|
* applying to a given ACL object identity.
|
||||||
*
|
*
|
||||||
* <P>
|
* <P>
|
||||||
* <code>BasicAclDao</code> implementations are responsible for interpreting a
|
* <code>BasicAclDao</code> implementations are responsible for interpreting a
|
||||||
* given {@link AclObjectIdentity} and being able to lookup and return the
|
* given {@link AclObjectIdentity} and being able to lookup and return the
|
||||||
* corresponding {@link BasicAclEntry}[]s.
|
* corresponding {@link BasicAclEntry}[]s.
|
||||||
* </p>
|
* </p>
|
||||||
*
|
*
|
||||||
* <P>
|
* <P>
|
||||||
* <code>BasicAclDao</code>s many, but are not required to, allow the backend
|
* <code>BasicAclDao</code>s many, but are not required to, allow the backend
|
||||||
* ACL repository to specify the class of <code>BasicAclEntry</code>
|
* ACL repository to specify the class of <code>BasicAclEntry</code>
|
||||||
@ -48,5 +48,5 @@ public interface BasicAclDao {
|
|||||||
* @return the ACLs that apply (no <code>null</code>s are permitted in the array), or <code>null</code> if no ACLs
|
* @return the ACLs that apply (no <code>null</code>s are permitted in the array), or <code>null</code> if no ACLs
|
||||||
* could be found for the specified ACL object identity
|
* could be found for the specified ACL object identity
|
||||||
*/
|
*/
|
||||||
public BasicAclEntry[] getAcls(AclObjectIdentity aclObjectIdentity);
|
BasicAclEntry[] getAcls(AclObjectIdentity aclObjectIdentity);
|
||||||
}
|
}
|
||||||
|
@ -35,7 +35,7 @@ public interface BasicAclEntry extends AclEntry {
|
|||||||
*
|
*
|
||||||
* @return the ACL object identity that is subject of this ACL entry (never <code>null</code>)
|
* @return the ACL object identity that is subject of this ACL entry (never <code>null</code>)
|
||||||
*/
|
*/
|
||||||
public AclObjectIdentity getAclObjectIdentity();
|
AclObjectIdentity getAclObjectIdentity();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Indicates any ACL parent of the domain object instance. This is used by <code>BasicAclProvider</code> to
|
* Indicates any ACL parent of the domain object instance. This is used by <code>BasicAclProvider</code> to
|
||||||
@ -44,7 +44,7 @@ public interface BasicAclEntry extends AclEntry {
|
|||||||
* @return the ACL object identity that is the parent of this ACL entry (may be <code>null</code> if no parent
|
* @return the ACL object identity that is the parent of this ACL entry (may be <code>null</code> if no parent
|
||||||
* should be consulted)
|
* should be consulted)
|
||||||
*/
|
*/
|
||||||
public AclObjectIdentity getAclObjectParentIdentity();
|
AclObjectIdentity getAclObjectParentIdentity();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Access control lists in this package are based on bit masking. The integer value of the bit mask can be
|
* Access control lists in this package are based on bit masking. The integer value of the bit mask can be
|
||||||
@ -53,7 +53,7 @@ public interface BasicAclEntry extends AclEntry {
|
|||||||
* @return the bit mask applicable to this ACL entry (zero indicates a bit mask where no permissions have been
|
* @return the bit mask applicable to this ACL entry (zero indicates a bit mask where no permissions have been
|
||||||
* granted)
|
* granted)
|
||||||
*/
|
*/
|
||||||
public int getMask();
|
int getMask();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A domain object instance will usually have multiple <code>BasicAclEntry</code>s. Each separate
|
* A domain object instance will usually have multiple <code>BasicAclEntry</code>s. Each separate
|
||||||
@ -65,12 +65,12 @@ public interface BasicAclEntry extends AclEntry {
|
|||||||
* object type will vary depending on the type of recipient. For instance, it might be a <code>String</code>
|
* object type will vary depending on the type of recipient. For instance, it might be a <code>String</code>
|
||||||
* containing a username, or a <code>GrantedAuthorityImpl</code> containing a complex granted authority that is
|
* containing a username, or a <code>GrantedAuthorityImpl</code> containing a complex granted authority that is
|
||||||
* being granted the permissions contained in this access control entry. The {@link EffectiveAclsResolver} and
|
* being granted the permissions contained in this access control entry. The {@link EffectiveAclsResolver} and
|
||||||
* {@link BasicAclProvider#getAcls(Object, Authentication)} can process the different recipient types and return
|
* {@link BasicAclProvider#getAcls(Object,org.acegisecurity.Authentication)} can process the different recipient
|
||||||
* only those that apply to a specified <code>Authentication</code> object.</p>
|
* types and return only those that apply to a specified <code>Authentication</code> object.</p>
|
||||||
*
|
*
|
||||||
* @return the recipient of this access control list entry (never <code>null</code>)
|
* @return the recipient of this access control list entry (never <code>null</code>)
|
||||||
*/
|
*/
|
||||||
public Object getRecipient();
|
Object getRecipient();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Determine if the mask of this entry includes this permission or not
|
* Determine if the mask of this entry includes this permission or not
|
||||||
@ -79,7 +79,7 @@ public interface BasicAclEntry extends AclEntry {
|
|||||||
*
|
*
|
||||||
* @return if the entry's mask includes this permission
|
* @return if the entry's mask includes this permission
|
||||||
*/
|
*/
|
||||||
public boolean isPermitted(int permissionToCheck);
|
boolean isPermitted(int permissionToCheck);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* This setter should <B>only</B> be used by DAO implementations.
|
* This setter should <B>only</B> be used by DAO implementations.
|
||||||
@ -87,7 +87,7 @@ public interface BasicAclEntry extends AclEntry {
|
|||||||
* @param aclObjectIdentity an object which can be used to uniquely identify the domain object instance subject of
|
* @param aclObjectIdentity an object which can be used to uniquely identify the domain object instance subject of
|
||||||
* this ACL entry
|
* this ACL entry
|
||||||
*/
|
*/
|
||||||
public void setAclObjectIdentity(AclObjectIdentity aclObjectIdentity);
|
void setAclObjectIdentity(AclObjectIdentity aclObjectIdentity);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* This setter should <B>only</B> be used by DAO implementations.
|
* This setter should <B>only</B> be used by DAO implementations.
|
||||||
@ -96,14 +96,14 @@ public interface BasicAclEntry extends AclEntry {
|
|||||||
* this ACL entry, or <code>null</code> if either the domain object instance has no parent or its parent
|
* this ACL entry, or <code>null</code> if either the domain object instance has no parent or its parent
|
||||||
* should be not used to compute an inheritance hierarchy
|
* should be not used to compute an inheritance hierarchy
|
||||||
*/
|
*/
|
||||||
public void setAclObjectParentIdentity(AclObjectIdentity aclObjectParentIdentity);
|
void setAclObjectParentIdentity(AclObjectIdentity aclObjectParentIdentity);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* This setter should <B>only</B> be used by DAO implementations.
|
* This setter should <B>only</B> be used by DAO implementations.
|
||||||
*
|
*
|
||||||
* @param mask the integer representing the permissions bit mask
|
* @param mask the integer representing the permissions bit mask
|
||||||
*/
|
*/
|
||||||
public void setMask(int mask);
|
void setMask(int mask);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* This setter should <B>only</B> be used by DAO implementations.
|
* This setter should <B>only</B> be used by DAO implementations.
|
||||||
@ -111,5 +111,5 @@ public interface BasicAclEntry extends AclEntry {
|
|||||||
* @param recipient a representation of the recipient of this ACL entry that makes sense to an
|
* @param recipient a representation of the recipient of this ACL entry that makes sense to an
|
||||||
* <code>EffectiveAclsResolver</code> implementation
|
* <code>EffectiveAclsResolver</code> implementation
|
||||||
*/
|
*/
|
||||||
public void setRecipient(Object recipient);
|
void setRecipient(Object recipient);
|
||||||
}
|
}
|
||||||
|
@ -17,7 +17,7 @@ package org.acegisecurity.acl.basic;
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* Provides a cache of {@link BasicAclEntry} objects.
|
* Provides a cache of {@link BasicAclEntry} objects.
|
||||||
*
|
*
|
||||||
* <P>
|
* <P>
|
||||||
* Implementations should provide appropriate methods to set their cache
|
* Implementations should provide appropriate methods to set their cache
|
||||||
* parameters (eg time-to-live) and/or force removal of entities before their
|
* parameters (eg time-to-live) and/or force removal of entities before their
|
||||||
@ -41,7 +41,7 @@ public interface BasicAclEntryCache {
|
|||||||
* @return any applicable <code>BasicAclEntry</code>s (no <code>null</code>s are permitted in the returned array)
|
* @return any applicable <code>BasicAclEntry</code>s (no <code>null</code>s are permitted in the returned array)
|
||||||
* or <code>null</code> if the object identity could not be found or if the cache entry has expired
|
* or <code>null</code> if the object identity could not be found or if the cache entry has expired
|
||||||
*/
|
*/
|
||||||
public BasicAclEntry[] getEntriesFromCache(AclObjectIdentity aclObjectIdentity);
|
BasicAclEntry[] getEntriesFromCache(AclObjectIdentity aclObjectIdentity);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Places an array of {@link BasicAclEntry}s in the cache.<P>No <code>null</code>s are allowed in the
|
* Places an array of {@link BasicAclEntry}s in the cache.<P>No <code>null</code>s are allowed in the
|
||||||
@ -50,12 +50,12 @@ public interface BasicAclEntryCache {
|
|||||||
* @param basicAclEntry the ACL entries to cache (the key will be extracted from the {@link
|
* @param basicAclEntry the ACL entries to cache (the key will be extracted from the {@link
|
||||||
* BasicAclEntry#getAclObjectIdentity()} method
|
* BasicAclEntry#getAclObjectIdentity()} method
|
||||||
*/
|
*/
|
||||||
public void putEntriesInCache(BasicAclEntry[] basicAclEntry);
|
void putEntriesInCache(BasicAclEntry[] basicAclEntry);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Removes all ACL entries related to an {@link AclObjectIdentity} from the cache.
|
* Removes all ACL entries related to an {@link AclObjectIdentity} from the cache.
|
||||||
*
|
*
|
||||||
* @param aclObjectIdentity which should be removed from the cache
|
* @param aclObjectIdentity which should be removed from the cache
|
||||||
*/
|
*/
|
||||||
public void removeEntriesFromCache(AclObjectIdentity aclObjectIdentity);
|
void removeEntriesFromCache(AclObjectIdentity aclObjectIdentity);
|
||||||
}
|
}
|
||||||
|
@ -21,12 +21,12 @@ import org.springframework.dao.DataAccessException;
|
|||||||
/**
|
/**
|
||||||
* Represents a more extensive data access object
|
* Represents a more extensive data access object
|
||||||
* for {@link BasicAclEntry}s.
|
* for {@link BasicAclEntry}s.
|
||||||
*
|
*
|
||||||
* <P>
|
* <p>
|
||||||
* <code>BasicAclExtendedDao</code> implementations are responsible for interpreting a
|
* <code>BasicAclExtendedDao</code> implementations are responsible for interpreting a
|
||||||
* a given {@link AclObjectIdentity}.
|
* a given {@link AclObjectIdentity}.
|
||||||
* </p>
|
* </p>
|
||||||
*
|
*
|
||||||
* @author Ben Alex
|
* @author Ben Alex
|
||||||
* @version $Id$
|
* @version $Id$
|
||||||
*/
|
*/
|
||||||
@ -43,10 +43,10 @@ public interface BasicAclExtendedDao extends BasicAclDao {
|
|||||||
*
|
*
|
||||||
* @throws DataAccessException DOCUMENT ME!
|
* @throws DataAccessException DOCUMENT ME!
|
||||||
*/
|
*/
|
||||||
public void changeMask(AclObjectIdentity aclObjectIdentity, Object recipient, Integer newMask)
|
void changeMask(AclObjectIdentity aclObjectIdentity, Object recipient, Integer newMask)
|
||||||
throws DataAccessException;
|
throws DataAccessException;
|
||||||
|
|
||||||
public void create(BasicAclEntry basicAclEntry) throws DataAccessException;
|
void create(BasicAclEntry basicAclEntry) throws DataAccessException;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Deletes <b>all</b> entries associated with the specified <code>AclObjectIdentity</code>.
|
* Deletes <b>all</b> entries associated with the specified <code>AclObjectIdentity</code>.
|
||||||
@ -55,7 +55,7 @@ public interface BasicAclExtendedDao extends BasicAclDao {
|
|||||||
*
|
*
|
||||||
* @throws DataAccessException DOCUMENT ME!
|
* @throws DataAccessException DOCUMENT ME!
|
||||||
*/
|
*/
|
||||||
public void delete(AclObjectIdentity aclObjectIdentity)
|
void delete(AclObjectIdentity aclObjectIdentity)
|
||||||
throws DataAccessException;
|
throws DataAccessException;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -67,6 +67,6 @@ public interface BasicAclExtendedDao extends BasicAclDao {
|
|||||||
*
|
*
|
||||||
* @throws DataAccessException DOCUMENT ME!
|
* @throws DataAccessException DOCUMENT ME!
|
||||||
*/
|
*/
|
||||||
public void delete(AclObjectIdentity aclObjectIdentity, Object recipient)
|
void delete(AclObjectIdentity aclObjectIdentity, Object recipient)
|
||||||
throws DataAccessException;
|
throws DataAccessException;
|
||||||
}
|
}
|
||||||
|
@ -23,14 +23,14 @@ import org.acegisecurity.acl.AclEntry;
|
|||||||
/**
|
/**
|
||||||
* Determines the ACLs that are effective for a given
|
* Determines the ACLs that are effective for a given
|
||||||
* <code>Authentication</code> object.
|
* <code>Authentication</code> object.
|
||||||
*
|
*
|
||||||
* <P>
|
* <P>
|
||||||
* Implementations will vary depending on their ability to interpret the
|
* Implementations will vary depending on their ability to interpret the
|
||||||
* "recipient" object types contained in {@link BasicAclEntry} instances, and
|
* "recipient" object types contained in {@link BasicAclEntry} instances, and
|
||||||
* how those recipient object types correspond to
|
* how those recipient object types correspond to
|
||||||
* <code>Authentication</code>-presented principals and granted authorities.
|
* <code>Authentication</code>-presented principals and granted authorities.
|
||||||
* </p>
|
* </p>
|
||||||
*
|
*
|
||||||
* <P>
|
* <P>
|
||||||
* Implementations should not filter the resulting ACL list from lower-order
|
* Implementations should not filter the resulting ACL list from lower-order
|
||||||
* permissions. So if a resulting ACL list grants a "read" permission, an
|
* permissions. So if a resulting ACL list grants a "read" permission, an
|
||||||
@ -57,5 +57,5 @@ public interface EffectiveAclsResolver {
|
|||||||
*
|
*
|
||||||
* @return the ACLs that apply to the presented principal, or <code>null</code> if there are none after filtering
|
* @return the ACLs that apply to the presented principal, or <code>null</code> if there are none after filtering
|
||||||
*/
|
*/
|
||||||
public AclEntry[] resolveEffectiveAcls(AclEntry[] allAcls, Authentication filteredBy);
|
AclEntry[] resolveEffectiveAcls(AclEntry[] allAcls, Authentication filteredBy);
|
||||||
}
|
}
|
||||||
|
@ -96,9 +96,8 @@ public class GrantedAuthorityEffectiveAclsResolver implements EffectiveAclsResol
|
|||||||
|
|
||||||
if ((authorities == null) || (authorities.length == 0)) {
|
if ((authorities == null) || (authorities.length == 0)) {
|
||||||
if (logger.isDebugEnabled()) {
|
if (logger.isDebugEnabled()) {
|
||||||
logger.debug(
|
logger.debug("Did not match principal and there are no granted authorities, "
|
||||||
"Did not match principal and there are no granted authorities, so cannot compare with recipient: "
|
+ "so cannot compare with recipient: " + recipient);
|
||||||
+ recipient);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
continue;
|
continue;
|
||||||
|
@ -50,15 +50,15 @@ public class SimpleAclEntry extends AbstractBasicAclEntry {
|
|||||||
};
|
};
|
||||||
|
|
||||||
private static final String[] VALID_PERMISSIONS_AS_STRING = {
|
private static final String[] VALID_PERMISSIONS_AS_STRING = {
|
||||||
"NOTHING", "ADMINISTRATION", "READ", "WRITE", "CREATE", "DELETE", "READ_WRITE_CREATE_DELETE", "READ_WRITE_CREATE",
|
"NOTHING", "ADMINISTRATION", "READ", "WRITE", "CREATE", "DELETE", "READ_WRITE_CREATE_DELETE",
|
||||||
"READ_WRITE", "READ_WRITE_DELETE" };
|
"READ_WRITE_CREATE", "READ_WRITE", "READ_WRITE_DELETE" };
|
||||||
|
|
||||||
//~ Constructors ===================================================================================================
|
//~ Constructors ===================================================================================================
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Allows {@link BasicAclDao} implementations to construct this object
|
* Allows {@link BasicAclDao} implementations to construct this object
|
||||||
* using <code>newInstance()</code>.
|
* using <code>newInstance()</code>.
|
||||||
*
|
*
|
||||||
* <P>
|
* <P>
|
||||||
* Normal classes should <B>not</B> use this default constructor.
|
* Normal classes should <B>not</B> use this default constructor.
|
||||||
* </p>
|
* </p>
|
||||||
@ -119,7 +119,7 @@ public class SimpleAclEntry extends AbstractBasicAclEntry {
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* Parse a permission {@link String} literal and return associated value.
|
* Parse a permission {@link String} literal and return associated value.
|
||||||
*
|
*
|
||||||
* @param permission one of the field names that represent a permission: <code>ADMINISTRATION</code>,
|
* @param permission one of the field names that represent a permission: <code>ADMINISTRATION</code>,
|
||||||
* <code>READ</code>, <code>WRITE</code>,...
|
* <code>READ</code>, <code>WRITE</code>,...
|
||||||
* @return the value associated to that permission
|
* @return the value associated to that permission
|
||||||
@ -136,7 +136,7 @@ public class SimpleAclEntry extends AbstractBasicAclEntry {
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* Parse a list of permission {@link String} literals and return associated values.
|
* Parse a list of permission {@link String} literals and return associated values.
|
||||||
*
|
*
|
||||||
* @param permissions array with permissions as {@link String}
|
* @param permissions array with permissions as {@link String}
|
||||||
* @see #parsePermission(String) for valid values
|
* @see #parsePermission(String) for valid values
|
||||||
*/
|
*/
|
||||||
|
@ -42,17 +42,27 @@ import javax.sql.DataSource;
|
|||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* <p>Retrieves ACL details from a JDBC location.</p>
|
* Retrieves ACL details from a JDBC location.
|
||||||
* <p>A default database structure is assumed. This may be overridden by setting the default query strings to use.
|
* <p>
|
||||||
|
* A default database structure is assumed. This may be overridden by setting the default query strings to use.
|
||||||
* If this does not provide enough flexibility, another strategy would be to subclass this class and override the
|
* If this does not provide enough flexibility, another strategy would be to subclass this class and override the
|
||||||
* {@link MappingSqlQuery} instance used, via the {@link #initMappingSqlQueries()} extension point.</p>
|
* {@link MappingSqlQuery} instance used, via the {@link #initMappingSqlQueries()} extension point.
|
||||||
|
* </p>
|
||||||
*/
|
*/
|
||||||
public class JdbcDaoImpl extends JdbcDaoSupport implements BasicAclDao {
|
public class JdbcDaoImpl extends JdbcDaoSupport implements BasicAclDao {
|
||||||
//~ Static fields/initializers =====================================================================================
|
//~ Static fields/initializers =====================================================================================
|
||||||
|
|
||||||
public static final String RECIPIENT_USED_FOR_INHERITENCE_MARKER = "___INHERITENCE_MARKER_ONLY___";
|
public static final String RECIPIENT_USED_FOR_INHERITENCE_MARKER = "___INHERITENCE_MARKER_ONLY___";
|
||||||
public static final String DEF_ACLS_BY_OBJECT_IDENTITY_QUERY = "SELECT RECIPIENT, MASK FROM acl_permission WHERE acl_object_identity = ?";
|
public static final String DEF_ACLS_BY_OBJECT_IDENTITY_QUERY =
|
||||||
public static final String DEF_OBJECT_PROPERTIES_QUERY = "SELECT CHILD.ID, CHILD.OBJECT_IDENTITY, CHILD.ACL_CLASS, PARENT.OBJECT_IDENTITY as PARENT_OBJECT_IDENTITY FROM acl_object_identity as CHILD LEFT OUTER JOIN acl_object_identity as PARENT ON CHILD.parent_object=PARENT.id WHERE CHILD.object_identity = ?";
|
"SELECT RECIPIENT, MASK FROM acl_permission WHERE acl_object_identity = ?";
|
||||||
|
public static final String DEF_OBJECT_PROPERTIES_QUERY =
|
||||||
|
"SELECT CHILD.ID, "
|
||||||
|
+ "CHILD.OBJECT_IDENTITY, "
|
||||||
|
+ "CHILD.ACL_CLASS, "
|
||||||
|
+ "PARENT.OBJECT_IDENTITY as PARENT_OBJECT_IDENTITY "
|
||||||
|
+ "FROM acl_object_identity as CHILD "
|
||||||
|
+ "LEFT OUTER JOIN acl_object_identity as PARENT ON CHILD.parent_object=PARENT.id "
|
||||||
|
+ "WHERE CHILD.object_identity = ?";
|
||||||
private static final Log logger = LogFactory.getLog(JdbcDaoImpl.class);
|
private static final Log logger = LogFactory.getLog(JdbcDaoImpl.class);
|
||||||
|
|
||||||
//~ Instance fields ================================================================================================
|
//~ Instance fields ================================================================================================
|
||||||
@ -382,7 +392,8 @@ public class JdbcDaoImpl extends JdbcDaoSupport implements BasicAclDao {
|
|||||||
throw new IllegalArgumentException(cnf.getMessage());
|
throw new IllegalArgumentException(cnf.getMessage());
|
||||||
}
|
}
|
||||||
|
|
||||||
return new AclDetailsHolder(id, buildIdentity(objectIdentity), buildIdentity(parentObjectIdentity), aclClazz);
|
return new AclDetailsHolder(id,
|
||||||
|
buildIdentity(objectIdentity), buildIdentity(parentObjectIdentity), aclClazz);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -48,8 +48,8 @@ import javax.sql.DataSource;
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* <p>Extension of the base {@link JdbcDaoImpl}, which implements {@link BasicAclExtendedDao}.</p>
|
* <p>Extension of the base {@link JdbcDaoImpl}, which implements {@link BasicAclExtendedDao}.</p>
|
||||||
* <p>A default database structure is assumed. This may be overridden by setting the default query strings to use.</p>
|
* <p>A default database structure is assumed. This may be overridden by setting the default query strings to use.</p>
|
||||||
* <p>If you are using a cache with <code>BasicAclProvider</code>, you should specify that cache via {@link
|
* <p>If you are using a cache with <code>BasicAclProvider</code>, you should specify that cache via {@link
|
||||||
* #setBasicAclEntryCache(BasicAclEntryCache)}. This will cause cache evictions (removals) to take place whenever a
|
* #setBasicAclEntryCache(BasicAclEntryCache)}. This will cause cache evictions (removals) to take place whenever a
|
||||||
* DAO mutator method is called.</p>
|
* DAO mutator method is called.</p>
|
||||||
* <p>This implementation works with <code>String</code> based recipients and {@link
|
* <p>This implementation works with <code>String</code> based recipients and {@link
|
||||||
@ -63,12 +63,18 @@ public class JdbcExtendedDaoImpl extends JdbcDaoImpl implements BasicAclExtended
|
|||||||
//~ Static fields/initializers =====================================================================================
|
//~ Static fields/initializers =====================================================================================
|
||||||
|
|
||||||
private static final Log logger = LogFactory.getLog(JdbcExtendedDaoImpl.class);
|
private static final Log logger = LogFactory.getLog(JdbcExtendedDaoImpl.class);
|
||||||
public static final String DEF_ACL_OBJECT_IDENTITY_DELETE_STATEMENT = "DELETE FROM acl_object_identity WHERE id = ?";
|
public static final String DEF_ACL_OBJECT_IDENTITY_DELETE_STATEMENT =
|
||||||
public static final String DEF_ACL_OBJECT_IDENTITY_INSERT_STATEMENT = "INSERT INTO acl_object_identity (object_identity, parent_object, acl_class) VALUES (?, ?, ?)";
|
"DELETE FROM acl_object_identity WHERE id = ?";
|
||||||
public static final String DEF_ACL_PERMISSION_DELETE_STATEMENT = "DELETE FROM acl_permission WHERE acl_object_identity = ? AND recipient = ?";
|
public static final String DEF_ACL_OBJECT_IDENTITY_INSERT_STATEMENT =
|
||||||
public static final String DEF_ACL_PERMISSION_INSERT_STATEMENT = "INSERT INTO acl_permission (acl_object_identity, recipient, mask) VALUES (?, ?, ?)";
|
"INSERT INTO acl_object_identity (object_identity, parent_object, acl_class) VALUES (?, ?, ?)";
|
||||||
public static final String DEF_ACL_PERMISSION_UPDATE_STATEMENT = "UPDATE acl_permission SET mask = ? WHERE id = ?";
|
public static final String DEF_ACL_PERMISSION_DELETE_STATEMENT =
|
||||||
public static final String DEF_LOOKUP_PERMISSION_ID_QUERY = "SELECT id FROM acl_permission WHERE acl_object_identity = ? AND recipient = ?";
|
"DELETE FROM acl_permission WHERE acl_object_identity = ? AND recipient = ?";
|
||||||
|
public static final String DEF_ACL_PERMISSION_INSERT_STATEMENT =
|
||||||
|
"INSERT INTO acl_permission (acl_object_identity, recipient, mask) VALUES (?, ?, ?)";
|
||||||
|
public static final String DEF_ACL_PERMISSION_UPDATE_STATEMENT =
|
||||||
|
"UPDATE acl_permission SET mask = ? WHERE id = ?";
|
||||||
|
public static final String DEF_LOOKUP_PERMISSION_ID_QUERY =
|
||||||
|
"SELECT id FROM acl_permission WHERE acl_object_identity = ? AND recipient = ?";
|
||||||
|
|
||||||
//~ Instance fields ================================================================================================
|
//~ Instance fields ================================================================================================
|
||||||
|
|
||||||
|
@ -19,32 +19,33 @@ import org.acegisecurity.acls.sid.Sid;
|
|||||||
import java.io.Serializable;
|
import java.io.Serializable;
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Represents an individual permission assignment within an {@link Acl}.
|
* Represents an individual permission assignment within an {@link Acl}.
|
||||||
*
|
*
|
||||||
* <p>
|
* <p>
|
||||||
* Instances MUST be immutable, as they are returned by <code>Acl</code>
|
* Instances MUST be immutable, as they are returned by <code>Acl</code>
|
||||||
* and should not allow client modification.
|
* and should not allow client modification.
|
||||||
*
|
* </p>
|
||||||
* @author Ben Alex
|
*
|
||||||
* @version $Id$
|
* @author Ben Alex
|
||||||
*
|
* @version $Id$
|
||||||
|
*
|
||||||
*/
|
*/
|
||||||
public interface AccessControlEntry {
|
public interface AccessControlEntry {
|
||||||
//~ Methods ========================================================================================================
|
//~ Methods ========================================================================================================
|
||||||
|
|
||||||
public Acl getAcl();
|
Acl getAcl();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Obtains an identifier that represents this ACE.
|
* Obtains an identifier that represents this ACE.
|
||||||
*
|
*
|
||||||
* @return the identifier, or <code>null</code> if unsaved
|
* @return the identifier, or <code>null</code> if unsaved
|
||||||
*/
|
*/
|
||||||
public Serializable getId();
|
Serializable getId();
|
||||||
|
|
||||||
public Permission getPermission();
|
Permission getPermission();
|
||||||
|
|
||||||
public Sid getSid();
|
Sid getSid();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Indicates the a Permission is being granted to the relevant Sid. If false, indicates the permission is
|
* Indicates the a Permission is being granted to the relevant Sid. If false, indicates the permission is
|
||||||
@ -52,5 +53,5 @@ public interface AccessControlEntry {
|
|||||||
*
|
*
|
||||||
* @return true if being granted, false otherwise
|
* @return true if being granted, false otherwise
|
||||||
*/
|
*/
|
||||||
public boolean isGranting();
|
boolean isGranting();
|
||||||
}
|
}
|
||||||
|
@ -20,25 +20,25 @@ import org.acegisecurity.acls.sid.Sid;
|
|||||||
import java.io.Serializable;
|
import java.io.Serializable;
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Represents an access control list (ACL) for a domain object.
|
* Represents an access control list (ACL) for a domain object.
|
||||||
*
|
*
|
||||||
* <p>
|
* <p>
|
||||||
* An <code>Acl</code> represents all ACL entries for a given domain object. In
|
* An <code>Acl</code> represents all ACL entries for a given domain object. In
|
||||||
* order to avoid needing references to the domain object itself, this
|
* order to avoid needing references to the domain object itself, this
|
||||||
* interface handles indirection between a domain object and an ACL object
|
* interface handles indirection between a domain object and an ACL object
|
||||||
* identity via the {@link
|
* identity via the {@link
|
||||||
* org.acegisecurity.acls.objectidentity.ObjectIdentity} interface.
|
* org.acegisecurity.acls.objectidentity.ObjectIdentity} interface.
|
||||||
* </p>
|
* </p>
|
||||||
*
|
*
|
||||||
* <p>
|
* <p>
|
||||||
* An implementation represents the {@link org.acegisecurity.acls.Permission}
|
* An implementation represents the {@link org.acegisecurity.acls.Permission}
|
||||||
* list applicable for some or all {@link org.acegisecurity.acls.sid.Sid}
|
* list applicable for some or all {@link org.acegisecurity.acls.sid.Sid}
|
||||||
* instances.
|
* instances.
|
||||||
* </p>
|
* </p>
|
||||||
*
|
*
|
||||||
* @author Ben Alex
|
* @author Ben Alex
|
||||||
* @version $Id$
|
* @version $Id$
|
||||||
*/
|
*/
|
||||||
public interface Acl extends Serializable {
|
public interface Acl extends Serializable {
|
||||||
//~ Methods ========================================================================================================
|
//~ Methods ========================================================================================================
|
||||||
@ -50,14 +50,14 @@ public interface Acl extends Serializable {
|
|||||||
* particular ordering logic in authorization decisions, the entries returned by this method <em>MUST</em> be
|
* particular ordering logic in authorization decisions, the entries returned by this method <em>MUST</em> be
|
||||||
* ordered in that manner.</p>
|
* ordered in that manner.</p>
|
||||||
* <p>Do <em>NOT</em> use this method for making authorization decisions. Instead use {@link
|
* <p>Do <em>NOT</em> use this method for making authorization decisions. Instead use {@link
|
||||||
* #isGranted(Permission[], Sid[])}.</p>
|
* #isGranted(Permission[], Sid[], boolean)}.</p>
|
||||||
* <p>This method must operate correctly even if the <code>Acl</code> only represents a subset of
|
* <p>This method must operate correctly even if the <code>Acl</code> only represents a subset of
|
||||||
* <code>Sid</code>s. The caller is responsible for correctly handling the result if only a subset of
|
* <code>Sid</code>s. The caller is responsible for correctly handling the result if only a subset of
|
||||||
* <code>Sid</code>s is represented.</p>
|
* <code>Sid</code>s is represented.</p>
|
||||||
*
|
*
|
||||||
* @return the list of entries represented by the <code>Acl</code>
|
* @return the list of entries represented by the <code>Acl</code>
|
||||||
*/
|
*/
|
||||||
public AccessControlEntry[] getEntries();
|
AccessControlEntry[] getEntries();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Obtains the domain object this <code>Acl</code> provides entries for. This is immutable once an
|
* Obtains the domain object this <code>Acl</code> provides entries for. This is immutable once an
|
||||||
@ -65,7 +65,7 @@ public interface Acl extends Serializable {
|
|||||||
*
|
*
|
||||||
* @return the object identity
|
* @return the object identity
|
||||||
*/
|
*/
|
||||||
public ObjectIdentity getObjectIdentity();
|
ObjectIdentity getObjectIdentity();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Determines the owner of the <code>Acl</code>. The meaning of ownership varies by implementation and is
|
* Determines the owner of the <code>Acl</code>. The meaning of ownership varies by implementation and is
|
||||||
@ -73,7 +73,7 @@ public interface Acl extends Serializable {
|
|||||||
*
|
*
|
||||||
* @return the owner (may be null if the implementation does not use ownership concepts)
|
* @return the owner (may be null if the implementation does not use ownership concepts)
|
||||||
*/
|
*/
|
||||||
public Sid getOwner();
|
Sid getOwner();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A domain object may have a parent for the purpose of ACL inheritance. If there is a parent, its ACL can
|
* A domain object may have a parent for the purpose of ACL inheritance. If there is a parent, its ACL can
|
||||||
@ -87,7 +87,7 @@ public interface Acl extends Serializable {
|
|||||||
*
|
*
|
||||||
* @return the parent <code>Acl</code>
|
* @return the parent <code>Acl</code>
|
||||||
*/
|
*/
|
||||||
public Acl getParentAcl();
|
Acl getParentAcl();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Indicates whether the ACL entries from the {@link #getParentAcl()} should flow down into the current
|
* Indicates whether the ACL entries from the {@link #getParentAcl()} should flow down into the current
|
||||||
@ -98,7 +98,7 @@ public interface Acl extends Serializable {
|
|||||||
*
|
*
|
||||||
* @return <code>true</code> if parent ACL entries inherit into the current <code>Acl</code>
|
* @return <code>true</code> if parent ACL entries inherit into the current <code>Acl</code>
|
||||||
*/
|
*/
|
||||||
public boolean isEntriesInheriting();
|
boolean isEntriesInheriting();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* This is the actual authorization logic method, and must be used whenever ACL authorization decisions are
|
* This is the actual authorization logic method, and must be used whenever ACL authorization decisions are
|
||||||
@ -131,22 +131,25 @@ public interface Acl extends Serializable {
|
|||||||
* @throws UnloadedSidException thrown if the <code>Acl</code> does not have details for one or more of the
|
* @throws UnloadedSidException thrown if the <code>Acl</code> does not have details for one or more of the
|
||||||
* <code>Sid</code>s passed as arguments
|
* <code>Sid</code>s passed as arguments
|
||||||
*/
|
*/
|
||||||
public boolean isGranted(Permission[] permission, Sid[] sids, boolean administrativeMode)
|
boolean isGranted(Permission[] permission, Sid[] sids, boolean administrativeMode)
|
||||||
throws NotFoundException, UnloadedSidException;
|
throws NotFoundException, UnloadedSidException;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* For efficiency reasons an <code>Acl</code> may be loaded and <em>not</em> contain entries for every
|
* For efficiency reasons an <code>Acl</code> may be loaded and <em>not</em> contain entries for every
|
||||||
* <code>Sid</code> in the system. If an <code>Acl</code> has been loaded and does not represent every
|
* <code>Sid</code> in the system. If an <code>Acl</code> has been loaded and does not represent every
|
||||||
* <code>Sid</code>, all methods of the <code>Sid</code> can only be used within the limited scope of the
|
* <code>Sid</code>, all methods of the <code>Sid</code> can only be used within the limited scope of the
|
||||||
* <code>Sid</code> instances it actually represents.<p>It is normal to load an <code>Acl</code> for only
|
* <code>Sid</code> instances it actually represents.
|
||||||
* particular <code>Sid</code>s if read-only authorization decisions are being made. However, if user interface
|
* <p>
|
||||||
* reporting or modification of <code>Acl</code>s are desired, an <code>Acl</code> should be loaded with all
|
* It is normal to load an <code>Acl</code> for only particular <code>Sid</code>s if read-only authorization
|
||||||
* <code>Sid</code>s. This method denotes whether or not the specified <code>Sid</code>s have been loaded or not.</p>
|
* decisions are being made. However, if user interface reporting or modification of <code>Acl</code>s are
|
||||||
|
* desired, an <code>Acl</code> should be loaded with all <code>Sid</code>s. This method denotes whether or
|
||||||
|
* not the specified <code>Sid</code>s have been loaded or not.
|
||||||
|
* </p>
|
||||||
*
|
*
|
||||||
* @param sids one or more security identities the caller is interest in knowing whether this <code>Sid</code>
|
* @param sids one or more security identities the caller is interest in knowing whether this <code>Sid</code>
|
||||||
* supports
|
* supports
|
||||||
*
|
*
|
||||||
* @return <code>true</code> if every passed <code>Sid</code> is represented by this <code>Acl</code> instance
|
* @return <code>true</code> if every passed <code>Sid</code> is represented by this <code>Acl</code> instance
|
||||||
*/
|
*/
|
||||||
public boolean isSidLoaded(Sid[] sids);
|
boolean isSidLoaded(Sid[] sids);
|
||||||
}
|
}
|
||||||
|
@ -23,7 +23,12 @@ import org.springframework.util.Assert;
|
|||||||
* @author Ben Alex
|
* @author Ben Alex
|
||||||
* @version $Id$
|
* @version $Id$
|
||||||
*/
|
*/
|
||||||
public class AclFormattingUtils {
|
public final class AclFormattingUtils {
|
||||||
|
//~ Constructors ===================================================================================================
|
||||||
|
|
||||||
|
private AclFormattingUtils() {
|
||||||
|
}
|
||||||
|
|
||||||
//~ Methods ========================================================================================================
|
//~ Methods ========================================================================================================
|
||||||
|
|
||||||
public static String demergePatterns(String original, String removeBits) {
|
public static String demergePatterns(String original, String removeBits) {
|
||||||
|
@ -20,11 +20,11 @@ import org.acegisecurity.acls.sid.Sid;
|
|||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Provides retrieval of {@link Acl} instances.
|
* Provides retrieval of {@link Acl} instances.
|
||||||
*
|
*
|
||||||
* @author Ben Alex
|
* @author Ben Alex
|
||||||
* @version $Id$
|
* @version $Id$
|
||||||
*/
|
*/
|
||||||
public interface AclService {
|
public interface AclService {
|
||||||
//~ Methods ========================================================================================================
|
//~ Methods ========================================================================================================
|
||||||
@ -36,7 +36,7 @@ public interface AclService {
|
|||||||
*
|
*
|
||||||
* @return the children (or <code>null</code> if none were found)
|
* @return the children (or <code>null</code> if none were found)
|
||||||
*/
|
*/
|
||||||
public ObjectIdentity[] findChildren(ObjectIdentity parentIdentity);
|
ObjectIdentity[] findChildren(ObjectIdentity parentIdentity);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Same as {@link #readAclsById(ObjectIdentity[])} except it returns only a single Acl.<p>This method
|
* Same as {@link #readAclsById(ObjectIdentity[])} except it returns only a single Acl.<p>This method
|
||||||
@ -49,7 +49,7 @@ public interface AclService {
|
|||||||
*
|
*
|
||||||
* @throws NotFoundException DOCUMENT ME!
|
* @throws NotFoundException DOCUMENT ME!
|
||||||
*/
|
*/
|
||||||
public Acl readAclById(ObjectIdentity object) throws NotFoundException;
|
Acl readAclById(ObjectIdentity object) throws NotFoundException;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Same as {@link #readAclsById(ObjectIdentity[], Sid[])} except it returns only a single Acl.
|
* Same as {@link #readAclsById(ObjectIdentity[], Sid[])} except it returns only a single Acl.
|
||||||
@ -61,7 +61,7 @@ public interface AclService {
|
|||||||
*
|
*
|
||||||
* @throws NotFoundException DOCUMENT ME!
|
* @throws NotFoundException DOCUMENT ME!
|
||||||
*/
|
*/
|
||||||
public Acl readAclById(ObjectIdentity object, Sid[] sids)
|
Acl readAclById(ObjectIdentity object, Sid[] sids)
|
||||||
throws NotFoundException;
|
throws NotFoundException;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -75,7 +75,7 @@ public interface AclService {
|
|||||||
*
|
*
|
||||||
* @throws NotFoundException DOCUMENT ME!
|
* @throws NotFoundException DOCUMENT ME!
|
||||||
*/
|
*/
|
||||||
public Map readAclsById(ObjectIdentity[] objects) throws NotFoundException;
|
Map readAclsById(ObjectIdentity[] objects) throws NotFoundException;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Obtains all the <code>Acl</code>s that apply for the passed <code>Object</code>s, but only for the
|
* Obtains all the <code>Acl</code>s that apply for the passed <code>Object</code>s, but only for the
|
||||||
@ -95,6 +95,6 @@ public interface AclService {
|
|||||||
*
|
*
|
||||||
* @throws NotFoundException DOCUMENT ME!
|
* @throws NotFoundException DOCUMENT ME!
|
||||||
*/
|
*/
|
||||||
public Map readAclsById(ObjectIdentity[] objects, Sid[] sids)
|
Map readAclsById(ObjectIdentity[] objects, Sid[] sids)
|
||||||
throws NotFoundException;
|
throws NotFoundException;
|
||||||
}
|
}
|
||||||
|
@ -14,17 +14,17 @@
|
|||||||
*/
|
*/
|
||||||
package org.acegisecurity.acls;
|
package org.acegisecurity.acls;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Represents an ACE that provides auditing information.
|
* Represents an ACE that provides auditing information.
|
||||||
*
|
*
|
||||||
* @author Ben Alex
|
* @author Ben Alex
|
||||||
* @version $Id$
|
* @version $Id$
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
public interface AuditableAccessControlEntry extends AccessControlEntry {
|
public interface AuditableAccessControlEntry extends AccessControlEntry {
|
||||||
//~ Methods ========================================================================================================
|
//~ Methods ========================================================================================================
|
||||||
|
|
||||||
public boolean isAuditFailure();
|
boolean isAuditFailure();
|
||||||
|
|
||||||
public boolean isAuditSuccess();
|
boolean isAuditSuccess();
|
||||||
}
|
}
|
||||||
|
@ -17,15 +17,15 @@ package org.acegisecurity.acls;
|
|||||||
import java.io.Serializable;
|
import java.io.Serializable;
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A mutable ACL that provides audit capabilities.
|
* A mutable ACL that provides audit capabilities.
|
||||||
*
|
*
|
||||||
* @author Ben Alex
|
* @author Ben Alex
|
||||||
* @version $Id$
|
* @version $Id$
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
public interface AuditableAcl extends MutableAcl {
|
public interface AuditableAcl extends MutableAcl {
|
||||||
//~ Methods ========================================================================================================
|
//~ Methods ========================================================================================================
|
||||||
|
|
||||||
public void updateAuditing(Serializable aceId, boolean auditSuccess, boolean auditFailure);
|
void updateAuditing(Serializable aceId, boolean auditSuccess, boolean auditFailure);
|
||||||
}
|
}
|
||||||
|
@ -19,21 +19,21 @@ import org.acegisecurity.acls.sid.Sid;
|
|||||||
import java.io.Serializable;
|
import java.io.Serializable;
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A mutable <code>Acl</code>.
|
* A mutable <code>Acl</code>.
|
||||||
*
|
*
|
||||||
* <p>
|
* <p>
|
||||||
* A mutable ACL must ensure that appropriate security checks are performed
|
* A mutable ACL must ensure that appropriate security checks are performed
|
||||||
* before allowing access to its methods.
|
* before allowing access to its methods.
|
||||||
* </p>
|
* </p>
|
||||||
*
|
*
|
||||||
* @author Ben Alex
|
* @author Ben Alex
|
||||||
* @version $Id$
|
* @version $Id$
|
||||||
*/
|
*/
|
||||||
public interface MutableAcl extends Acl {
|
public interface MutableAcl extends Acl {
|
||||||
//~ Methods ========================================================================================================
|
//~ Methods ========================================================================================================
|
||||||
|
|
||||||
public void deleteAce(Serializable aceId) throws NotFoundException;
|
void deleteAce(Serializable aceId) throws NotFoundException;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Retrieves all of the non-deleted {@link AccessControlEntry} instances currently stored by the
|
* Retrieves all of the non-deleted {@link AccessControlEntry} instances currently stored by the
|
||||||
@ -44,16 +44,16 @@ public interface MutableAcl extends Acl {
|
|||||||
*
|
*
|
||||||
* @return DOCUMENT ME!
|
* @return DOCUMENT ME!
|
||||||
*/
|
*/
|
||||||
public AccessControlEntry[] getEntries();
|
AccessControlEntry[] getEntries();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Obtains an identifier that represents this <code>MutableAcl</code>.
|
* Obtains an identifier that represents this <code>MutableAcl</code>.
|
||||||
*
|
*
|
||||||
* @return the identifier, or <code>null</code> if unsaved
|
* @return the identifier, or <code>null</code> if unsaved
|
||||||
*/
|
*/
|
||||||
public Serializable getId();
|
Serializable getId();
|
||||||
|
|
||||||
public void insertAce(Serializable afterAceId, Permission permission, Sid sid, boolean granting)
|
void insertAce(Serializable afterAceId, Permission permission, Sid sid, boolean granting)
|
||||||
throws NotFoundException;
|
throws NotFoundException;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -61,15 +61,15 @@ public interface MutableAcl extends Acl {
|
|||||||
*
|
*
|
||||||
* @param entriesInheriting the new value
|
* @param entriesInheriting the new value
|
||||||
*/
|
*/
|
||||||
public void setEntriesInheriting(boolean entriesInheriting);
|
void setEntriesInheriting(boolean entriesInheriting);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Changes the parent of this ACL.
|
* Changes the parent of this ACL.
|
||||||
*
|
*
|
||||||
* @param newParent the new parent
|
* @param newParent the new parent
|
||||||
*/
|
*/
|
||||||
public void setParent(MutableAcl newParent);
|
void setParent(MutableAcl newParent);
|
||||||
|
|
||||||
public void updateAce(Serializable aceId, Permission permission)
|
void updateAce(Serializable aceId, Permission permission)
|
||||||
throws NotFoundException;
|
throws NotFoundException;
|
||||||
}
|
}
|
||||||
|
@ -17,11 +17,11 @@ package org.acegisecurity.acls;
|
|||||||
import org.acegisecurity.acls.objectidentity.ObjectIdentity;
|
import org.acegisecurity.acls.objectidentity.ObjectIdentity;
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Provides support for creating and storing <code>Acl</code> instances.
|
* Provides support for creating and storing <code>Acl</code> instances.
|
||||||
*
|
*
|
||||||
* @author Ben Alex
|
* @author Ben Alex
|
||||||
* @version $Id$
|
* @version $Id$
|
||||||
*/
|
*/
|
||||||
public interface MutableAclService extends AclService {
|
public interface MutableAclService extends AclService {
|
||||||
//~ Methods ========================================================================================================
|
//~ Methods ========================================================================================================
|
||||||
@ -36,7 +36,7 @@ public interface MutableAclService extends AclService {
|
|||||||
*
|
*
|
||||||
* @throws AlreadyExistsException if the passed object identity already has a record
|
* @throws AlreadyExistsException if the passed object identity already has a record
|
||||||
*/
|
*/
|
||||||
public MutableAcl createAcl(ObjectIdentity objectIdentity)
|
MutableAcl createAcl(ObjectIdentity objectIdentity)
|
||||||
throws AlreadyExistsException;
|
throws AlreadyExistsException;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -47,7 +47,7 @@ public interface MutableAclService extends AclService {
|
|||||||
*
|
*
|
||||||
* @throws ChildrenExistException if the deleteChildren argument was <code>false</code> but children exist
|
* @throws ChildrenExistException if the deleteChildren argument was <code>false</code> but children exist
|
||||||
*/
|
*/
|
||||||
public void deleteAcl(ObjectIdentity objectIdentity, boolean deleteChildren)
|
void deleteAcl(ObjectIdentity objectIdentity, boolean deleteChildren)
|
||||||
throws ChildrenExistException;
|
throws ChildrenExistException;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -61,5 +61,5 @@ public interface MutableAclService extends AclService {
|
|||||||
* #createAcl(ObjectIdentity)} to create the object, rather than creating it with the <code>new</code>
|
* #createAcl(ObjectIdentity)} to create the object, rather than creating it with the <code>new</code>
|
||||||
* keyword?)
|
* keyword?)
|
||||||
*/
|
*/
|
||||||
public MutableAcl updateAcl(MutableAcl acl) throws NotFoundException;
|
MutableAcl updateAcl(MutableAcl acl) throws NotFoundException;
|
||||||
}
|
}
|
||||||
|
@ -17,19 +17,19 @@ package org.acegisecurity.acls;
|
|||||||
import org.acegisecurity.acls.sid.Sid;
|
import org.acegisecurity.acls.sid.Sid;
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A mutable ACL that provides ownership capabilities.
|
* A mutable ACL that provides ownership capabilities.
|
||||||
*
|
*
|
||||||
* <p>
|
* <p>
|
||||||
* Generally the owner of an ACL is able to call any ACL mutator method, as
|
* Generally the owner of an ACL is able to call any ACL mutator method, as
|
||||||
* well as assign a new owner.
|
* well as assign a new owner.
|
||||||
* </p>
|
* </p>
|
||||||
*
|
*
|
||||||
* @author Ben Alex
|
* @author Ben Alex
|
||||||
* @version $Id$
|
* @version $Id$
|
||||||
*/
|
*/
|
||||||
public interface OwnershipAcl extends MutableAcl {
|
public interface OwnershipAcl extends MutableAcl {
|
||||||
//~ Methods ========================================================================================================
|
//~ Methods ========================================================================================================
|
||||||
|
|
||||||
public void setOwner(Sid newOwner);
|
void setOwner(Sid newOwner);
|
||||||
}
|
}
|
||||||
|
@ -14,21 +14,18 @@
|
|||||||
*/
|
*/
|
||||||
package org.acegisecurity.acls;
|
package org.acegisecurity.acls;
|
||||||
|
|
||||||
import org.acegisecurity.acls.sid.Sid;
|
/**
|
||||||
|
* Represents a permission granted to a {@link org.acegisecurity.acls.sid.Sid Sid} for a given domain object.
|
||||||
|
*
|
||||||
/**
|
* @author Ben Alex
|
||||||
* Represents a permission granted to a {@link Sid} for a given domain object.
|
* @version $Id$
|
||||||
*
|
|
||||||
* @author Ben Alex
|
|
||||||
* @version $Id$
|
|
||||||
*/
|
*/
|
||||||
public interface Permission {
|
public interface Permission {
|
||||||
//~ Static fields/initializers =====================================================================================
|
//~ Static fields/initializers =====================================================================================
|
||||||
|
|
||||||
public static final char RESERVED_ON = '~';
|
char RESERVED_ON = '~';
|
||||||
public static final char RESERVED_OFF = '.';
|
char RESERVED_OFF = '.';
|
||||||
public static final String THIRTY_TWO_RESERVED_OFF = "................................";
|
String THIRTY_TWO_RESERVED_OFF = "................................";
|
||||||
|
|
||||||
//~ Methods ========================================================================================================
|
//~ Methods ========================================================================================================
|
||||||
|
|
||||||
@ -37,20 +34,22 @@ public interface Permission {
|
|||||||
*
|
*
|
||||||
* @return the bits that represent the permission
|
* @return the bits that represent the permission
|
||||||
*/
|
*/
|
||||||
public int getMask();
|
int getMask();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Returns a 32-character long bit pattern <code>String</code> representing this permission.<p>Implementations
|
* Returns a 32-character long bit pattern <code>String</code> representing this permission.
|
||||||
* are free to format the pattern as they see fit, although under no circumstances may {@link #RESERVED_OFF} or
|
* <p>
|
||||||
* {@link #RESERVED_ON} be used within the pattern. An exemption is in the case of {@link #RESERVED_OFF} which is
|
* Implementations are free to format the pattern as they see fit, although under no circumstances may
|
||||||
* used to denote a bit that is off (clear). Implementations may also elect to use {@link #RESERVED_ON} internally
|
* {@link #RESERVED_OFF} or {@link #RESERVED_ON} be used within the pattern. An exemption is in the case of
|
||||||
* for computation purposes, although this method may not return any <code>String</code> containing {@link
|
* {@link #RESERVED_OFF} which is used to denote a bit that is off (clear).
|
||||||
* #RESERVED_ON}.</p>
|
* Implementations may also elect to use {@link #RESERVED_ON} internally for computation purposes,
|
||||||
|
* although this method may not return any <code>String</code> containing {@link #RESERVED_ON}.
|
||||||
|
* </p>
|
||||||
* <p>The returned String must be 32 characters in length.</p>
|
* <p>The returned String must be 32 characters in length.</p>
|
||||||
* <p>This method is only used for user interface and logging purposes. It is not used in any permission
|
* <p>This method is only used for user interface and logging purposes. It is not used in any permission
|
||||||
* calculations. Therefore, duplication of characters within the output is permitted.</p>
|
* calculations. Therefore, duplication of characters within the output is permitted.</p>
|
||||||
*
|
*
|
||||||
* @return a 32-character bit pattern
|
* @return a 32-character bit pattern
|
||||||
*/
|
*/
|
||||||
public String getPattern();
|
String getPattern();
|
||||||
}
|
}
|
||||||
|
@ -21,18 +21,18 @@ import org.acegisecurity.acls.Acl;
|
|||||||
/**
|
/**
|
||||||
* Strategy used by {@link AclImpl} to determine whether a principal is permitted to call
|
* Strategy used by {@link AclImpl} to determine whether a principal is permitted to call
|
||||||
* adminstrative methods on the <code>AclImpl</code>.
|
* adminstrative methods on the <code>AclImpl</code>.
|
||||||
*
|
*
|
||||||
* @author Ben Alex
|
* @author Ben Alex
|
||||||
* @version $Id$
|
* @version $Id$
|
||||||
*/
|
*/
|
||||||
public interface AclAuthorizationStrategy {
|
public interface AclAuthorizationStrategy {
|
||||||
//~ Static fields/initializers =====================================================================================
|
//~ Static fields/initializers =====================================================================================
|
||||||
|
|
||||||
public static final int CHANGE_OWNERSHIP = 0;
|
int CHANGE_OWNERSHIP = 0;
|
||||||
public static final int CHANGE_AUDITING = 1;
|
int CHANGE_AUDITING = 1;
|
||||||
public static final int CHANGE_GENERAL = 2;
|
int CHANGE_GENERAL = 2;
|
||||||
|
|
||||||
//~ Methods ========================================================================================================
|
//~ Methods ========================================================================================================
|
||||||
|
|
||||||
public void securityCheck(Acl acl, int changeType);
|
void securityCheck(Acl acl, int changeType);
|
||||||
}
|
}
|
||||||
|
@ -53,7 +53,7 @@ public class AclAuthorizationStrategyImpl implements AclAuthorizationStrategy {
|
|||||||
/**
|
/**
|
||||||
* Constructor. The only mandatory parameter relates to the system-wide {@link GrantedAuthority} instances that
|
* Constructor. The only mandatory parameter relates to the system-wide {@link GrantedAuthority} instances that
|
||||||
* can be held to always permit ACL changes.
|
* can be held to always permit ACL changes.
|
||||||
*
|
*
|
||||||
* @param auths an array of <code>GrantedAuthority</code>s that have
|
* @param auths an array of <code>GrantedAuthority</code>s that have
|
||||||
* special permissions (index 0 is the authority needed to change
|
* special permissions (index 0 is the authority needed to change
|
||||||
* ownership, index 1 is the authority needed to modify auditing details,
|
* ownership, index 1 is the authority needed to modify auditing details,
|
||||||
@ -81,7 +81,8 @@ public class AclAuthorizationStrategyImpl implements AclAuthorizationStrategy {
|
|||||||
// Check if authorized by virtue of ACL ownership
|
// Check if authorized by virtue of ACL ownership
|
||||||
Sid currentUser = new PrincipalSid(authentication);
|
Sid currentUser = new PrincipalSid(authentication);
|
||||||
|
|
||||||
if (currentUser.equals(acl.getOwner()) && ((changeType == CHANGE_GENERAL) || (changeType == CHANGE_OWNERSHIP))) {
|
if (currentUser.equals(acl.getOwner())
|
||||||
|
&& ((changeType == CHANGE_GENERAL) || (changeType == CHANGE_OWNERSHIP))) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -17,15 +17,15 @@ package org.acegisecurity.acls.domain;
|
|||||||
import org.acegisecurity.acls.AccessControlEntry;
|
import org.acegisecurity.acls.AccessControlEntry;
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Used by <code>AclImpl</code> to log audit events.
|
* Used by <code>AclImpl</code> to log audit events.
|
||||||
*
|
*
|
||||||
* @author Ben Alex
|
* @author Ben Alex
|
||||||
* @version $Id$
|
* @version $Id$
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
public interface AuditLogger {
|
public interface AuditLogger {
|
||||||
//~ Methods ========================================================================================================
|
//~ Methods ========================================================================================================
|
||||||
|
|
||||||
public void logIfNeeded(boolean granted, AccessControlEntry ace);
|
void logIfNeeded(boolean granted, AccessControlEntry ace);
|
||||||
}
|
}
|
||||||
|
@ -33,7 +33,7 @@ import java.util.Vector;
|
|||||||
* @author Ben Alex
|
* @author Ben Alex
|
||||||
* @version $Id$
|
* @version $Id$
|
||||||
*/
|
*/
|
||||||
public class BasePermission implements Permission {
|
public final class BasePermission implements Permission {
|
||||||
//~ Static fields/initializers =====================================================================================
|
//~ Static fields/initializers =====================================================================================
|
||||||
|
|
||||||
public static final Permission READ = new BasePermission(1 << 0, 'R'); // 1
|
public static final Permission READ = new BasePermission(1 << 0, 'R'); // 1
|
||||||
|
@ -31,9 +31,9 @@ public class ConsoleAuditLogger implements AuditLogger {
|
|||||||
|
|
||||||
public void logIfNeeded(boolean granted, AccessControlEntry ace) {
|
public void logIfNeeded(boolean granted, AccessControlEntry ace) {
|
||||||
Assert.notNull(ace, "AccessControlEntry required");
|
Assert.notNull(ace, "AccessControlEntry required");
|
||||||
|
|
||||||
if (ace instanceof AuditableAccessControlEntry) {
|
if (ace instanceof AuditableAccessControlEntry) {
|
||||||
AuditableAccessControlEntry auditableAce = (AuditableAccessControlEntry) ace;
|
AuditableAccessControlEntry auditableAce = (AuditableAccessControlEntry) ace;
|
||||||
|
|
||||||
if (granted && auditableAce.isAuditSuccess()) {
|
if (granted && auditableAce.isAuditSuccess()) {
|
||||||
System.out.println("GRANTED due to ACE: " + ace);
|
System.out.println("GRANTED due to ACE: " + ace);
|
||||||
|
@ -20,23 +20,23 @@ import org.acegisecurity.acls.objectidentity.ObjectIdentity;
|
|||||||
import java.io.Serializable;
|
import java.io.Serializable;
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A caching layer for {@link JdbcAclService}.
|
* A caching layer for {@link JdbcAclService}.
|
||||||
*
|
*
|
||||||
* @author Ben Alex
|
* @author Ben Alex
|
||||||
* @version $Id$
|
* @version $Id$
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
public interface AclCache {
|
public interface AclCache {
|
||||||
//~ Methods ========================================================================================================
|
//~ Methods ========================================================================================================
|
||||||
|
|
||||||
public void evictFromCache(Serializable pk);
|
void evictFromCache(Serializable pk);
|
||||||
|
|
||||||
public void evictFromCache(ObjectIdentity objectIdentity);
|
void evictFromCache(ObjectIdentity objectIdentity);
|
||||||
|
|
||||||
public MutableAcl getFromCache(ObjectIdentity objectIdentity);
|
MutableAcl getFromCache(ObjectIdentity objectIdentity);
|
||||||
|
|
||||||
public MutableAcl getFromCache(Serializable pk);
|
MutableAcl getFromCache(Serializable pk);
|
||||||
|
|
||||||
public void putInCache(MutableAcl acl);
|
void putInCache(MutableAcl acl);
|
||||||
}
|
}
|
||||||
|
@ -79,12 +79,12 @@ public final class BasicLookupStrategy implements LookupStrategy {
|
|||||||
|
|
||||||
//~ Constructors ===================================================================================================
|
//~ Constructors ===================================================================================================
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Constructor accepting mandatory arguments
|
* Constructor accepting mandatory arguments
|
||||||
*
|
*
|
||||||
* @param dataSource to access the database
|
* @param dataSource to access the database
|
||||||
* @param aclCache the cache where fully-loaded elements can be stored
|
* @param aclCache the cache where fully-loaded elements can be stored
|
||||||
* @param aclAuthorizationStrategy authorization strategy (required)
|
* @param aclAuthorizationStrategy authorization strategy (required)
|
||||||
*/
|
*/
|
||||||
public BasicLookupStrategy(DataSource dataSource, AclCache aclCache,
|
public BasicLookupStrategy(DataSource dataSource, AclCache aclCache,
|
||||||
AclAuthorizationStrategy aclAuthorizationStrategy, AuditLogger auditLogger) {
|
AclAuthorizationStrategy aclAuthorizationStrategy, AuditLogger auditLogger) {
|
||||||
@ -106,7 +106,8 @@ public final class BasicLookupStrategy implements LookupStrategy {
|
|||||||
String startSql = "select ACL_OBJECT_IDENTITY.OBJECT_ID_IDENTITY, ACL_ENTRY.ACE_ORDER, "
|
String startSql = "select ACL_OBJECT_IDENTITY.OBJECT_ID_IDENTITY, ACL_ENTRY.ACE_ORDER, "
|
||||||
+ "ACL_OBJECT_IDENTITY.ID as ACL_ID, " + "ACL_OBJECT_IDENTITY.PARENT_OBJECT, "
|
+ "ACL_OBJECT_IDENTITY.ID as ACL_ID, " + "ACL_OBJECT_IDENTITY.PARENT_OBJECT, "
|
||||||
+ "ACL_OBJECT_IDENTITY,ENTRIES_INHERITING, "
|
+ "ACL_OBJECT_IDENTITY,ENTRIES_INHERITING, "
|
||||||
+ "ACL_ENTRY.ID as ACE_ID, ACL_ENTRY.MASK, ACL_ENTRY.GRANTING, ACL_ENTRY.AUDIT_SUCCESS, ACL_ENTRY.AUDIT_FAILURE, "
|
+ "ACL_ENTRY.ID as ACE_ID, ACL_ENTRY.MASK, ACL_ENTRY.GRANTING, "
|
||||||
|
+ "ACL_ENTRY.AUDIT_SUCCESS, ACL_ENTRY.AUDIT_FAILURE, "
|
||||||
+ "ACL_SID.PRINCIPAL as ACE_PRINCIPAL, ACL_SID.SID as ACE_SID, "
|
+ "ACL_SID.PRINCIPAL as ACE_PRINCIPAL, ACL_SID.SID as ACE_SID, "
|
||||||
+ "ACLI_SID.PRINCIPAL as ACL_PRINCIPAL, ACLI_SID.SID as ACL_SID, " + "ACL_CLASS.CLASS "
|
+ "ACLI_SID.PRINCIPAL as ACL_PRINCIPAL, ACLI_SID.SID as ACL_SID, " + "ACL_CLASS.CLASS "
|
||||||
+ "from ACL_OBJECT_IDENTITY, ACL_SID ACLI_SID, ACL_CLASS "
|
+ "from ACL_OBJECT_IDENTITY, ACL_SID ACLI_SID, ACL_CLASS "
|
||||||
@ -387,7 +388,8 @@ public final class BasicLookupStrategy implements LookupStrategy {
|
|||||||
continue; // now in results, so move to next element
|
continue; // now in results, so move to next element
|
||||||
} else {
|
} else {
|
||||||
throw new IllegalStateException(
|
throw new IllegalStateException(
|
||||||
"Error: SID-filtered element detected when implementation does not perform SID filtering - have you added something to the cache manually?");
|
"Error: SID-filtered element detected when implementation does not perform SID filtering "
|
||||||
|
+ "- have you added something to the cache manually?");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -128,7 +128,7 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
|
|||||||
}
|
}
|
||||||
|
|
||||||
public void setValues(PreparedStatement stmt, int i)
|
public void setValues(PreparedStatement stmt, int i)
|
||||||
throws SQLException {
|
throws SQLException {
|
||||||
AccessControlEntry entry_ = (AccessControlEntry) Array.get(acl.getEntries(), i);
|
AccessControlEntry entry_ = (AccessControlEntry) Array.get(acl.getEntries(), i);
|
||||||
Assert.isTrue(entry_ instanceof AccessControlEntryImpl, "Unknown ACE class");
|
Assert.isTrue(entry_ instanceof AccessControlEntryImpl, "Unknown ACE class");
|
||||||
|
|
||||||
@ -176,7 +176,8 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
|
|||||||
if (allowCreate) {
|
if (allowCreate) {
|
||||||
classId = null;
|
classId = null;
|
||||||
jdbcTemplate.update(insertClass, new Object[] {clazz.getName()});
|
jdbcTemplate.update(insertClass, new Object[] {clazz.getName()});
|
||||||
Assert.isTrue(TransactionSynchronizationManager.isSynchronizationActive(), "Transaction must be running");
|
Assert.isTrue(TransactionSynchronizationManager.isSynchronizationActive(),
|
||||||
|
"Transaction must be running");
|
||||||
classId = new Long(jdbcTemplate.queryForLong(identityQuery));
|
classId = new Long(jdbcTemplate.queryForLong(identityQuery));
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
@ -220,7 +221,8 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
|
|||||||
if (allowCreate) {
|
if (allowCreate) {
|
||||||
sidId = null;
|
sidId = null;
|
||||||
jdbcTemplate.update(insertSid, new Object[] {new Boolean(principal), sidName});
|
jdbcTemplate.update(insertSid, new Object[] {new Boolean(principal), sidName});
|
||||||
Assert.isTrue(TransactionSynchronizationManager.isSynchronizationActive(), "Transaction must be running");
|
Assert.isTrue(TransactionSynchronizationManager.isSynchronizationActive(),
|
||||||
|
"Transaction must be running");
|
||||||
sidId = new Long(jdbcTemplate.queryForLong(identityQuery));
|
sidId = new Long(jdbcTemplate.queryForLong(identityQuery));
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
@ -263,7 +265,8 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
|
|||||||
* @param oid the rows in acl_entry to delete
|
* @param oid the rows in acl_entry to delete
|
||||||
*/
|
*/
|
||||||
protected void deleteEntries(ObjectIdentity oid) {
|
protected void deleteEntries(ObjectIdentity oid) {
|
||||||
jdbcTemplate.update(deleteEntryByObjectIdentityForeignKey, new Object[] {retrieveObjectIdentityPrimaryKey(oid)});
|
jdbcTemplate.update(deleteEntryByObjectIdentityForeignKey,
|
||||||
|
new Object[] {retrieveObjectIdentityPrimaryKey(oid)});
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -20,11 +20,11 @@ import org.acegisecurity.acls.sid.Sid;
|
|||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Performs optimised lookups for {@link JdbcAclService}.
|
* Performs optimised lookups for {@link JdbcAclService}.
|
||||||
*
|
*
|
||||||
* @author Ben Alex
|
* @author Ben Alex
|
||||||
* @version $Id$
|
* @version $Id$
|
||||||
*/
|
*/
|
||||||
public interface LookupStrategy {
|
public interface LookupStrategy {
|
||||||
//~ Methods ========================================================================================================
|
//~ Methods ========================================================================================================
|
||||||
@ -39,5 +39,5 @@ public interface LookupStrategy {
|
|||||||
* @return the <code>Map</code> pursuant to the interface contract for {@link
|
* @return the <code>Map</code> pursuant to the interface contract for {@link
|
||||||
* org.acegisecurity.acls.AclService#readAclsById(ObjectIdentity[], Sid[])}
|
* org.acegisecurity.acls.AclService#readAclsById(ObjectIdentity[], Sid[])}
|
||||||
*/
|
*/
|
||||||
public Map readAclsById(ObjectIdentity[] objects, Sid[] sids);
|
Map readAclsById(ObjectIdentity[] objects, Sid[] sids);
|
||||||
}
|
}
|
||||||
|
@ -17,20 +17,20 @@ package org.acegisecurity.acls.objectidentity;
|
|||||||
import java.io.Serializable;
|
import java.io.Serializable;
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Interface representing the identity of an individual domain object instance.
|
* Interface representing the identity of an individual domain object instance.
|
||||||
*
|
*
|
||||||
* <P>
|
* <P>
|
||||||
* As implementations are used as the key for caching and lookup, it is
|
* As implementations are used as the key for caching and lookup, it is
|
||||||
* essential that implementations provide methods so that object-equality
|
* essential that implementations provide methods so that object-equality
|
||||||
* rather than reference-equality can be relied upon by caches. In other
|
* rather than reference-equality can be relied upon by caches. In other
|
||||||
* words, a cache can consider two <code>ObjectIdentity</code>s equal if
|
* words, a cache can consider two <code>ObjectIdentity</code>s equal if
|
||||||
* <code>identity1.equals(identity2)</code>, rather than reference-equality of
|
* <code>identity1.equals(identity2)</code>, rather than reference-equality of
|
||||||
* <code>identity1==identity2</code>.
|
* <code>identity1==identity2</code>.
|
||||||
* </p>
|
* </p>
|
||||||
*
|
*
|
||||||
* @author Ben Alex
|
* @author Ben Alex
|
||||||
* @version $Id$
|
* @version $Id$
|
||||||
*/
|
*/
|
||||||
public interface ObjectIdentity extends Serializable {
|
public interface ObjectIdentity extends Serializable {
|
||||||
//~ Methods ========================================================================================================
|
//~ Methods ========================================================================================================
|
||||||
@ -42,7 +42,7 @@ public interface ObjectIdentity extends Serializable {
|
|||||||
*
|
*
|
||||||
* @return <code>true</code> if the objects are equal, <code>false</code> otherwise
|
* @return <code>true</code> if the objects are equal, <code>false</code> otherwise
|
||||||
*/
|
*/
|
||||||
public boolean equals(Object obj);
|
boolean equals(Object obj);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Obtains the actual identifier. This identifier must not be reused to represent other domain objects with
|
* Obtains the actual identifier. This identifier must not be reused to represent other domain objects with
|
||||||
@ -52,19 +52,19 @@ public interface ObjectIdentity extends Serializable {
|
|||||||
*
|
*
|
||||||
* @return the identifier (unique within this <code>javaType</code>
|
* @return the identifier (unique within this <code>javaType</code>
|
||||||
*/
|
*/
|
||||||
public Serializable getIdentifier();
|
Serializable getIdentifier();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Obtains the Java type represented by the domain object.
|
* Obtains the Java type represented by the domain object.
|
||||||
*
|
*
|
||||||
* @return the Java type of the domain object
|
* @return the Java type of the domain object
|
||||||
*/
|
*/
|
||||||
public Class getJavaType();
|
Class getJavaType();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Refer to the <code>java.lang.Object</code> documentation for the interface contract.
|
* Refer to the <code>java.lang.Object</code> documentation for the interface contract.
|
||||||
*
|
*
|
||||||
* @return a hash code representation of this object
|
* @return a hash code representation of this object
|
||||||
*/
|
*/
|
||||||
public int hashCode();
|
int hashCode();
|
||||||
}
|
}
|
||||||
|
@ -14,8 +14,6 @@
|
|||||||
*/
|
*/
|
||||||
package org.acegisecurity.acls.objectidentity;
|
package org.acegisecurity.acls.objectidentity;
|
||||||
|
|
||||||
import org.acegisecurity.acl.basic.AclObjectIdentity;
|
|
||||||
|
|
||||||
import org.acegisecurity.acls.IdentityUnavailableException;
|
import org.acegisecurity.acls.IdentityUnavailableException;
|
||||||
|
|
||||||
import org.springframework.util.Assert;
|
import org.springframework.util.Assert;
|
||||||
@ -27,8 +25,11 @@ import java.lang.reflect.Method;
|
|||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Simple implementation of {@link AclObjectIdentity}.<P>Uses <code>String</code>s to store the identity of the
|
* Simple implementation of {@link org.acegisecurity.acl.basic.AclObjectIdentity AclObjectIdentity}.
|
||||||
* domain object instance. Also offers a constructor that uses reflection to build the identity information.</p>
|
* <p>
|
||||||
|
* Uses <code>String</code>s to store the identity of the domain object instance. Also offers a constructor that uses
|
||||||
|
* reflection to build the identity information.
|
||||||
|
* </p>
|
||||||
*/
|
*/
|
||||||
public class ObjectIdentityImpl implements ObjectIdentity {
|
public class ObjectIdentityImpl implements ObjectIdentity {
|
||||||
//~ Instance fields ================================================================================================
|
//~ Instance fields ================================================================================================
|
||||||
@ -58,16 +59,16 @@ public class ObjectIdentityImpl implements ObjectIdentity {
|
|||||||
this.identifier = identifier;
|
this.identifier = identifier;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Creates the <code>ObjectIdentityImpl</code> based on the passed
|
* Creates the <code>ObjectIdentityImpl</code> based on the passed
|
||||||
* object instance. The passed object must provide a <code>getId()</code>
|
* object instance. The passed object must provide a <code>getId()</code>
|
||||||
* method, otherwise an exception will be thrown. The object passed will
|
* method, otherwise an exception will be thrown. The object passed will
|
||||||
* be considered the {@link #javaType}, so if more control is required,
|
* be considered the {@link #javaType}, so if more control is required,
|
||||||
* an alternate constructor should be used instead.
|
* an alternate constructor should be used instead.
|
||||||
*
|
*
|
||||||
* @param object the domain object instance to create an identity for
|
* @param object the domain object instance to create an identity for
|
||||||
*
|
*
|
||||||
* @throws IdentityUnavailableException if identity could not be extracted
|
* @throws IdentityUnavailableException if identity could not be extracted
|
||||||
*/
|
*/
|
||||||
public ObjectIdentityImpl(Object object) throws IdentityUnavailableException {
|
public ObjectIdentityImpl(Object object) throws IdentityUnavailableException {
|
||||||
Assert.notNull(object, "object cannot be null");
|
Assert.notNull(object, "object cannot be null");
|
||||||
|
@ -18,7 +18,7 @@ package org.acegisecurity.acls.objectidentity;
|
|||||||
/**
|
/**
|
||||||
* Strategy interface that provides the ability to determine which {@link ObjectIdentity}
|
* Strategy interface that provides the ability to determine which {@link ObjectIdentity}
|
||||||
* will be returned for a particular domain object
|
* will be returned for a particular domain object
|
||||||
*
|
*
|
||||||
* @author Ben Alex
|
* @author Ben Alex
|
||||||
* @version $Id$
|
* @version $Id$
|
||||||
*
|
*
|
||||||
@ -26,5 +26,5 @@ package org.acegisecurity.acls.objectidentity;
|
|||||||
public interface ObjectIdentityRetrievalStrategy {
|
public interface ObjectIdentityRetrievalStrategy {
|
||||||
//~ Methods ========================================================================================================
|
//~ Methods ========================================================================================================
|
||||||
|
|
||||||
public ObjectIdentity getObjectIdentity(Object domainObject);
|
ObjectIdentity getObjectIdentity(Object domainObject);
|
||||||
}
|
}
|
||||||
|
@ -14,20 +14,20 @@
|
|||||||
*/
|
*/
|
||||||
package org.acegisecurity.acls.sid;
|
package org.acegisecurity.acls.sid;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A security identity recognised by the ACL system.
|
* A security identity recognised by the ACL system.
|
||||||
*
|
*
|
||||||
* <p>
|
* <p>
|
||||||
* This interface provides indirection between actual security objects (eg
|
* This interface provides indirection between actual security objects (eg
|
||||||
* principals, roles, groups etc) and what is stored inside an
|
* principals, roles, groups etc) and what is stored inside an
|
||||||
* <code>Acl</code>. This is because an <code>Acl</code> will not store an
|
* <code>Acl</code>. This is because an <code>Acl</code> will not store an
|
||||||
* entire security object, but only an abstraction of it. This interface
|
* entire security object, but only an abstraction of it. This interface
|
||||||
* therefore provides a simple way to compare these abstracted security
|
* therefore provides a simple way to compare these abstracted security
|
||||||
* identities with other security identities and actual security objects.
|
* identities with other security identities and actual security objects.
|
||||||
* </p>
|
* </p>
|
||||||
*
|
*
|
||||||
* @author Ben Alex
|
* @author Ben Alex
|
||||||
* @version $Id$
|
* @version $Id$
|
||||||
*/
|
*/
|
||||||
public interface Sid {
|
public interface Sid {
|
||||||
//~ Methods ========================================================================================================
|
//~ Methods ========================================================================================================
|
||||||
@ -39,12 +39,12 @@ public interface Sid {
|
|||||||
*
|
*
|
||||||
* @return <code>true</code> if the objects are equal, <code>false</code> otherwise
|
* @return <code>true</code> if the objects are equal, <code>false</code> otherwise
|
||||||
*/
|
*/
|
||||||
public boolean equals(Object obj);
|
boolean equals(Object obj);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Refer to the <code>java.lang.Object</code> documentation for the interface contract.
|
* Refer to the <code>java.lang.Object</code> documentation for the interface contract.
|
||||||
*
|
*
|
||||||
* @return a hash code representation of this object
|
* @return a hash code representation of this object
|
||||||
*/
|
*/
|
||||||
public int hashCode();
|
int hashCode();
|
||||||
}
|
}
|
||||||
|
@ -21,12 +21,12 @@ import org.acegisecurity.Authentication;
|
|||||||
/**
|
/**
|
||||||
* Strategy interface that provides an ability to determine the {@link Sid} instances applicable
|
* Strategy interface that provides an ability to determine the {@link Sid} instances applicable
|
||||||
* for an {@link Authentication}.
|
* for an {@link Authentication}.
|
||||||
*
|
*
|
||||||
* @author Ben Alex
|
* @author Ben Alex
|
||||||
* @version $Id$
|
* @version $Id$
|
||||||
*/
|
*/
|
||||||
public interface SidRetrievalStrategy {
|
public interface SidRetrievalStrategy {
|
||||||
//~ Methods ========================================================================================================
|
//~ Methods ========================================================================================================
|
||||||
|
|
||||||
public Sid[] getSids(Authentication authentication);
|
Sid[] getSids(Authentication authentication);
|
||||||
}
|
}
|
||||||
|
@ -21,7 +21,7 @@ import org.acegisecurity.Authentication;
|
|||||||
/**
|
/**
|
||||||
* Indicates a specialized, immutable, server-side only {@link Authentication}
|
* Indicates a specialized, immutable, server-side only {@link Authentication}
|
||||||
* class.
|
* class.
|
||||||
*
|
*
|
||||||
* <P>
|
* <P>
|
||||||
* Automatically considered valid by the {@link AuthByAdapterProvider},
|
* Automatically considered valid by the {@link AuthByAdapterProvider},
|
||||||
* provided the hash code presented by the implementation objects matches that
|
* provided the hash code presented by the implementation objects matches that
|
||||||
@ -41,5 +41,5 @@ public interface AuthByAdapter extends Authentication {
|
|||||||
*
|
*
|
||||||
* @return the hash code of the key used when the object was created.
|
* @return the hash code of the key used when the object was created.
|
||||||
*/
|
*/
|
||||||
public int getKeyHash();
|
int getKeyHash();
|
||||||
}
|
}
|
||||||
|
@ -29,7 +29,7 @@ import java.security.Principal;
|
|||||||
public class PrincipalAcegiUserToken extends AbstractAdapterAuthenticationToken implements Principal {
|
public class PrincipalAcegiUserToken extends AbstractAdapterAuthenticationToken implements Principal {
|
||||||
//~ Instance fields ================================================================================================
|
//~ Instance fields ================================================================================================
|
||||||
|
|
||||||
private static final long serialVersionUID = 1L;
|
private static final long serialVersionUID = 1L;
|
||||||
private Object principal;
|
private Object principal;
|
||||||
private String password;
|
private String password;
|
||||||
private String username;
|
private String username;
|
||||||
|
@ -20,7 +20,6 @@ import org.acegisecurity.AuthorizationServiceException;
|
|||||||
import org.acegisecurity.ConfigAttribute;
|
import org.acegisecurity.ConfigAttribute;
|
||||||
import org.acegisecurity.ConfigAttributeDefinition;
|
import org.acegisecurity.ConfigAttributeDefinition;
|
||||||
|
|
||||||
import org.acegisecurity.acls.Acl;
|
|
||||||
import org.acegisecurity.acls.AclService;
|
import org.acegisecurity.acls.AclService;
|
||||||
import org.acegisecurity.acls.Permission;
|
import org.acegisecurity.acls.Permission;
|
||||||
|
|
||||||
@ -39,7 +38,9 @@ import java.util.Iterator;
|
|||||||
* each <code>Collection</code> domain object instance element for the current <code>Authentication</code> object.</p>
|
* each <code>Collection</code> domain object instance element for the current <code>Authentication</code> object.</p>
|
||||||
* <p>This after invocation provider will fire if any {@link ConfigAttribute#getAttribute()} matches the {@link
|
* <p>This after invocation provider will fire if any {@link ConfigAttribute#getAttribute()} matches the {@link
|
||||||
* #processConfigAttribute}. The provider will then lookup the ACLs from the <code>AclService</code> and ensure the
|
* #processConfigAttribute}. The provider will then lookup the ACLs from the <code>AclService</code> and ensure the
|
||||||
* principal is {@link Acl#isGranted(org.acegisecurity.acls.Permission[], org.acegisecurity.acls.sid.Sid[], boolean)}
|
* principal is
|
||||||
|
* {@link org.acegisecurity.acls.Acl#isGranted(org.acegisecurity.acls.Permission[],
|
||||||
|
* org.acegisecurity.acls.sid.Sid[], boolean) Acl.isGranted(Permission[], Sid[], boolean)}
|
||||||
* when presenting the {@link #requirePermission} array to that method.</p>
|
* when presenting the {@link #requirePermission} array to that method.</p>
|
||||||
* <p>If the principal does not have permission, that element will not be included in the returned
|
* <p>If the principal does not have permission, that element will not be included in the returned
|
||||||
* <code>Collection</code>.</p>
|
* <code>Collection</code>.</p>
|
||||||
@ -94,9 +95,8 @@ public class AclEntryAfterInvocationCollectionFilteringProvider extends Abstract
|
|||||||
Object[] array = (Object[]) returnedObject;
|
Object[] array = (Object[]) returnedObject;
|
||||||
filterer = new ArrayFilterer(array);
|
filterer = new ArrayFilterer(array);
|
||||||
} else {
|
} else {
|
||||||
throw new AuthorizationServiceException(
|
throw new AuthorizationServiceException("A Collection or an array (or null) was required as the "
|
||||||
"A Collection or an array (or null) was required as the returnedObject, but the returnedObject was: "
|
+ "returnedObject, but the returnedObject was: " + returnedObject);
|
||||||
+ returnedObject);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Locate unauthorised Collection elements
|
// Locate unauthorised Collection elements
|
||||||
|
@ -20,7 +20,6 @@ import org.acegisecurity.Authentication;
|
|||||||
import org.acegisecurity.ConfigAttribute;
|
import org.acegisecurity.ConfigAttribute;
|
||||||
import org.acegisecurity.ConfigAttributeDefinition;
|
import org.acegisecurity.ConfigAttributeDefinition;
|
||||||
|
|
||||||
import org.acegisecurity.acls.Acl;
|
|
||||||
import org.acegisecurity.acls.AclService;
|
import org.acegisecurity.acls.AclService;
|
||||||
import org.acegisecurity.acls.Permission;
|
import org.acegisecurity.acls.Permission;
|
||||||
|
|
||||||
@ -37,19 +36,20 @@ import java.util.Iterator;
|
|||||||
/**
|
/**
|
||||||
* <p>Given a domain object instance returned from a secure object invocation, ensures the principal has
|
* <p>Given a domain object instance returned from a secure object invocation, ensures the principal has
|
||||||
* appropriate permission as defined by the {@link AclService}.</p>
|
* appropriate permission as defined by the {@link AclService}.</p>
|
||||||
* <p>The <code>AclService</code> is used to retrieve the access control list (ACL) permissions associated with a
|
* <p>The <code>AclService</code> is used to retrieve the access control list (ACL) permissions associated with a
|
||||||
* domain object instance for the current <code>Authentication</code> object.</p>
|
* domain object instance for the current <code>Authentication</code> object.</p>
|
||||||
* <p>This after invocation provider will fire if any {@link ConfigAttribute#getAttribute()} matches the {@link
|
* <p>This after invocation provider will fire if any {@link ConfigAttribute#getAttribute()} matches the {@link
|
||||||
* #processConfigAttribute}. The provider will then lookup the ACLs from the <code>AclService</code> and ensure the
|
* #processConfigAttribute}. The provider will then lookup the ACLs from the <code>AclService</code> and ensure the
|
||||||
* principal is {@link Acl#isGranted(org.acegisecurity.acls.Permission[], org.acegisecurity.acls.sid.Sid[], boolean)}
|
* principal is {@link org.acegisecurity.acls.Acl#isGranted(org.acegisecurity.acls.Permission[],
|
||||||
|
org.acegisecurity.acls.sid.Sid[], boolean) Acl.isGranted(Permission[], Sid[], boolean)}
|
||||||
* when presenting the {@link #requirePermission} array to that method.</p>
|
* when presenting the {@link #requirePermission} array to that method.</p>
|
||||||
* <p>Often users will setup an <code>AclEntryAfterInvocationProvider</code> with a {@link
|
* <p>Often users will setup an <code>AclEntryAfterInvocationProvider</code> with a {@link
|
||||||
* #processConfigAttribute} of <code>AFTER_ACL_READ</code> and a {@link #requirePermission} of
|
* #processConfigAttribute} of <code>AFTER_ACL_READ</code> and a {@link #requirePermission} of
|
||||||
* <code>BasePermission.READ</code>. These are also the defaults.</p>
|
* <code>BasePermission.READ</code>. These are also the defaults.</p>
|
||||||
* <p>If the principal does not have sufficient permissions, an <code>AccessDeniedException</code> will be thrown.</p>
|
* <p>If the principal does not have sufficient permissions, an <code>AccessDeniedException</code> will be thrown.</p>
|
||||||
* <p>If the provided <code>returnObject</code> is <code>null</code>, permission will always be granted and
|
* <p>If the provided <code>returnObject</code> is <code>null</code>, permission will always be granted and
|
||||||
* <code>null</code> will be returned.</p>
|
* <code>null</code> will be returned.</p>
|
||||||
* <p>All comparisons and prefixes are case sensitive.</p>
|
* <p>All comparisons and prefixes are case sensitive.</p>
|
||||||
*/
|
*/
|
||||||
public class AclEntryAfterInvocationProvider extends AbstractAclProvider implements MessageSourceAware {
|
public class AclEntryAfterInvocationProvider extends AbstractAclProvider implements MessageSourceAware {
|
||||||
//~ Static fields/initializers =====================================================================================
|
//~ Static fields/initializers =====================================================================================
|
||||||
@ -113,7 +113,7 @@ public class AclEntryAfterInvocationProvider extends AbstractAclProvider impleme
|
|||||||
return returnedObject;
|
return returnedObject;
|
||||||
}
|
}
|
||||||
|
|
||||||
public void setMessageSource(MessageSource messages) {
|
public void setMessageSource(MessageSource messageSource) {
|
||||||
this.messages = new MessageSourceAccessor(messages);
|
this.messages = new MessageSourceAccessor(messageSource);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -31,7 +31,7 @@ import org.acegisecurity.ConfigAttributeDefinition;
|
|||||||
public interface AfterInvocationProvider {
|
public interface AfterInvocationProvider {
|
||||||
//~ Methods ========================================================================================================
|
//~ Methods ========================================================================================================
|
||||||
|
|
||||||
public Object decide(Authentication authentication, Object object, ConfigAttributeDefinition config,
|
Object decide(Authentication authentication, Object object, ConfigAttributeDefinition config,
|
||||||
Object returnedObject) throws AccessDeniedException;
|
Object returnedObject) throws AccessDeniedException;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -46,7 +46,7 @@ public interface AfterInvocationProvider {
|
|||||||
*
|
*
|
||||||
* @return true if this <code>AfterInvocationProvider</code> can support the passed configuration attribute
|
* @return true if this <code>AfterInvocationProvider</code> can support the passed configuration attribute
|
||||||
*/
|
*/
|
||||||
public boolean supports(ConfigAttribute attribute);
|
boolean supports(ConfigAttribute attribute);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Indicates whether the <code>AfterInvocationProvider</code> is able to provide "after invocation"
|
* Indicates whether the <code>AfterInvocationProvider</code> is able to provide "after invocation"
|
||||||
@ -56,5 +56,5 @@ public interface AfterInvocationProvider {
|
|||||||
*
|
*
|
||||||
* @return true if the implementation can process the indicated class
|
* @return true if the implementation can process the indicated class
|
||||||
*/
|
*/
|
||||||
public boolean supports(Class clazz);
|
boolean supports(Class clazz);
|
||||||
}
|
}
|
||||||
|
@ -36,7 +36,8 @@ import java.util.Set;
|
|||||||
class ArrayFilterer implements Filterer {
|
class ArrayFilterer implements Filterer {
|
||||||
//~ Static fields/initializers =====================================================================================
|
//~ Static fields/initializers =====================================================================================
|
||||||
|
|
||||||
protected static final Log logger = LogFactory.getLog(BasicAclEntryAfterInvocationCollectionFilteringProvider.class);
|
protected static final Log logger =
|
||||||
|
LogFactory.getLog(BasicAclEntryAfterInvocationCollectionFilteringProvider.class);
|
||||||
|
|
||||||
//~ Instance fields ================================================================================================
|
//~ Instance fields ================================================================================================
|
||||||
|
|
||||||
@ -57,7 +58,7 @@ class ArrayFilterer implements Filterer {
|
|||||||
//~ Methods ========================================================================================================
|
//~ Methods ========================================================================================================
|
||||||
|
|
||||||
/**
|
/**
|
||||||
*
|
*
|
||||||
* @see org.acegisecurity.afterinvocation.Filterer#getFilteredObject()
|
* @see org.acegisecurity.afterinvocation.Filterer#getFilteredObject()
|
||||||
*/
|
*/
|
||||||
public Object getFilteredObject() {
|
public Object getFilteredObject() {
|
||||||
@ -84,7 +85,7 @@ class ArrayFilterer implements Filterer {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
*
|
*
|
||||||
* @see org.acegisecurity.afterinvocation.Filterer#iterator()
|
* @see org.acegisecurity.afterinvocation.Filterer#iterator()
|
||||||
*/
|
*/
|
||||||
public Iterator iterator() {
|
public Iterator iterator() {
|
||||||
@ -92,7 +93,7 @@ class ArrayFilterer implements Filterer {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
*
|
*
|
||||||
* @see org.acegisecurity.afterinvocation.Filterer#remove(java.lang.Object)
|
* @see org.acegisecurity.afterinvocation.Filterer#remove(java.lang.Object)
|
||||||
*/
|
*/
|
||||||
public void remove(Object object) {
|
public void remove(Object object) {
|
||||||
|
@ -116,9 +116,8 @@ public class BasicAclEntryAfterInvocationCollectionFilteringProvider implements
|
|||||||
Object[] array = (Object[]) returnedObject;
|
Object[] array = (Object[]) returnedObject;
|
||||||
filterer = new ArrayFilterer(array);
|
filterer = new ArrayFilterer(array);
|
||||||
} else {
|
} else {
|
||||||
throw new AuthorizationServiceException(
|
throw new AuthorizationServiceException("A Collection or an array (or null) was required as the "
|
||||||
"A Collection or an array (or null) was required as the returnedObject, but the returnedObject was: "
|
+ "returnedObject, but the returnedObject was: " + returnedObject);
|
||||||
+ returnedObject);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Locate unauthorised Collection elements
|
// Locate unauthorised Collection elements
|
||||||
@ -207,12 +206,12 @@ public class BasicAclEntryAfterInvocationCollectionFilteringProvider implements
|
|||||||
* Allow setting permissions with String literals instead of integers as {@link
|
* Allow setting permissions with String literals instead of integers as {@link
|
||||||
* #setRequirePermission(int[])}
|
* #setRequirePermission(int[])}
|
||||||
*
|
*
|
||||||
* @param requirePermission permission literals
|
* @param requiredPermissions permission literals
|
||||||
*
|
*
|
||||||
* @see SimpleAclEntry#parsePermissions(String[]) for valid values
|
* @see SimpleAclEntry#parsePermissions(String[]) for valid values
|
||||||
*/
|
*/
|
||||||
public void setRequirePermissionFromString(String[] requirePermission) {
|
public void setRequirePermissionFromString(String[] requiredPermissions) {
|
||||||
setRequirePermission(SimpleAclEntry.parsePermissions(requirePermission));
|
setRequirePermission(SimpleAclEntry.parsePermissions(requiredPermissions));
|
||||||
}
|
}
|
||||||
|
|
||||||
public boolean supports(ConfigAttribute attribute) {
|
public boolean supports(ConfigAttribute attribute) {
|
||||||
|
@ -146,7 +146,8 @@ public class BasicAclEntryAfterInvocationProvider implements AfterInvocationProv
|
|||||||
throw new AccessDeniedException(messages.getMessage(
|
throw new AccessDeniedException(messages.getMessage(
|
||||||
"BasicAclEntryAfterInvocationProvider.insufficientPermission",
|
"BasicAclEntryAfterInvocationProvider.insufficientPermission",
|
||||||
new Object[] {authentication.getName(), returnedObject},
|
new Object[] {authentication.getName(), returnedObject},
|
||||||
"Authentication {0} has ACL permissions to the domain object, but not the required ACL permission to the domain object {1}"));
|
"Authentication {0} has ACL permissions to the domain object, "
|
||||||
|
+ "but not the required ACL permission to the domain object {1}"));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -188,12 +189,12 @@ public class BasicAclEntryAfterInvocationProvider implements AfterInvocationProv
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* Allow setting permissions with String literals instead of integers as {@link #setRequirePermission(int[])}
|
* Allow setting permissions with String literals instead of integers as {@link #setRequirePermission(int[])}
|
||||||
*
|
*
|
||||||
* @param requirePermission Permission literals
|
* @param requiredPermissions Permission literals
|
||||||
* @see SimpleAclEntry#parsePermissions(String[]) for valid values
|
* @see SimpleAclEntry#parsePermissions(String[]) for valid values
|
||||||
*/
|
*/
|
||||||
public void setRequirePermissionFromString(String[] requirePermission) {
|
public void setRequirePermissionFromString(String[] requiredPermissions) {
|
||||||
setRequirePermission(SimpleAclEntry.parsePermissions(requirePermission));
|
setRequirePermission(SimpleAclEntry.parsePermissions(requiredPermissions));
|
||||||
}
|
}
|
||||||
|
|
||||||
public boolean supports(ConfigAttribute attribute) {
|
public boolean supports(ConfigAttribute attribute) {
|
||||||
|
@ -20,7 +20,7 @@ import java.util.Iterator;
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* Filter strategy interface.
|
* Filter strategy interface.
|
||||||
*
|
*
|
||||||
* @author Ben Alex
|
* @author Ben Alex
|
||||||
* @author Paulo Neves
|
* @author Paulo Neves
|
||||||
* @version $Id$
|
* @version $Id$
|
||||||
@ -33,19 +33,19 @@ interface Filterer {
|
|||||||
*
|
*
|
||||||
* @return the filtered collection or array
|
* @return the filtered collection or array
|
||||||
*/
|
*/
|
||||||
public Object getFilteredObject();
|
Object getFilteredObject();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Returns an iterator over the filtered collection or array.
|
* Returns an iterator over the filtered collection or array.
|
||||||
*
|
*
|
||||||
* @return an Iterator
|
* @return an Iterator
|
||||||
*/
|
*/
|
||||||
public Iterator iterator();
|
Iterator iterator();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Removes the the given object from the resulting list.
|
* Removes the the given object from the resulting list.
|
||||||
*
|
*
|
||||||
* @param object the object to be removed
|
* @param object the object to be removed
|
||||||
*/
|
*/
|
||||||
public void remove(Object object);
|
void remove(Object object);
|
||||||
}
|
}
|
||||||
|
@ -44,11 +44,15 @@ import javax.servlet.http.HttpServletResponse;
|
|||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* The captcha entry point : redirect to the captcha test page. <br><p>This entry point can force the use of SSL :
|
* The captcha entry point : redirect to the captcha test page.
|
||||||
* see {@link #getForceHttps()}<br></p>
|
* <p>
|
||||||
* This entry point allows internal OR external redirect : see {@link #setOutsideWebApp(boolean)}<br>
|
* This entry point can force the use of SSL : see {@link #getForceHttps()}
|
||||||
* / Original request can be added to the redirect path using a custom translation : see {@link #setIncludeOriginalRequest(boolean)}<br>
|
* </p>
|
||||||
* Original request is translated using URLEncoding and the following translation mapping in the redirect url :
|
* <p>
|
||||||
|
* This entry point allows internal OR external redirect : see {@link #setOutsideWebApp(boolean)}<br />
|
||||||
|
* / Original request can be added to the redirect path using a custom translation : see
|
||||||
|
* {@link #setIncludeOriginalRequest(boolean)}<br />
|
||||||
|
* The original request is translated using URLEncoding and the following translation mapping in the redirect url :
|
||||||
* <ul>
|
* <ul>
|
||||||
* <li>original url => {@link #getOriginalRequestUrlParameterName()}</li>
|
* <li>original url => {@link #getOriginalRequestUrlParameterName()}</li>
|
||||||
* <li>If {@link #isIncludeOriginalParameters()}</li>
|
* <li>If {@link #isIncludeOriginalParameters()}</li>
|
||||||
@ -63,17 +67,20 @@ import javax.servlet.http.HttpServletResponse;
|
|||||||
* </li>
|
* </li>
|
||||||
* </ul>
|
* </ul>
|
||||||
* <br><br>
|
* <br><br>
|
||||||
* Default values :<br>
|
* Default values :
|
||||||
* forceHttps = false<br>
|
* <pre>
|
||||||
* includesOriginalRequest = true<br>
|
* forceHttps = false
|
||||||
* includesOriginalParameters = false<br>
|
* includesOriginalRequest = true
|
||||||
* isOutsideWebApp=false<br>
|
* includesOriginalParameters = false
|
||||||
* originalRequestUrlParameterName =original_requestUrl <br>
|
* isOutsideWebApp = false
|
||||||
* originalRequestParametersParameterName = original_request_parameters<br>
|
* originalRequestUrlParameterName = original_requestUrl
|
||||||
* originalRequestParametersNameValueSeparator = __ <br>
|
* originalRequestParametersParameterName = original_request_parameters
|
||||||
* originalRequestParametersSeparator = ;; <br>
|
* originalRequestParametersNameValueSeparator = __
|
||||||
* originalRequestMethodParameterName = original_request_method <br>
|
* originalRequestParametersSeparator = ;;
|
||||||
* urlEncodingCharset = UTF-8<br>
|
* originalRequestMethodParameterName = original_request_method
|
||||||
|
* urlEncodingCharset = UTF-8
|
||||||
|
* </pre>
|
||||||
|
* </p>
|
||||||
*
|
*
|
||||||
* @author marc antoine Garrigue
|
* @author marc antoine Garrigue
|
||||||
* @version $Id$
|
* @version $Id$
|
||||||
@ -81,8 +88,6 @@ import javax.servlet.http.HttpServletResponse;
|
|||||||
public class CaptchaEntryPoint implements ChannelEntryPoint, InitializingBean {
|
public class CaptchaEntryPoint implements ChannelEntryPoint, InitializingBean {
|
||||||
//~ Static fields/initializers =====================================================================================
|
//~ Static fields/initializers =====================================================================================
|
||||||
|
|
||||||
// ~ Static fields/initializers
|
|
||||||
// =============================================
|
|
||||||
private static final Log logger = LogFactory.getLog(CaptchaEntryPoint.class);
|
private static final Log logger = LogFactory.getLog(CaptchaEntryPoint.class);
|
||||||
|
|
||||||
//~ Instance fields ================================================================================================
|
//~ Instance fields ================================================================================================
|
||||||
|
@ -44,14 +44,10 @@ import javax.servlet.http.HttpSession;
|
|||||||
public class CaptchaValidationProcessingFilter implements InitializingBean, Filter {
|
public class CaptchaValidationProcessingFilter implements InitializingBean, Filter {
|
||||||
//~ Static fields/initializers =====================================================================================
|
//~ Static fields/initializers =====================================================================================
|
||||||
|
|
||||||
// ~ Static fields/initializers
|
|
||||||
// =============================================
|
|
||||||
protected static final Log logger = LogFactory.getLog(CaptchaValidationProcessingFilter.class);
|
protected static final Log logger = LogFactory.getLog(CaptchaValidationProcessingFilter.class);
|
||||||
|
|
||||||
//~ Instance fields ================================================================================================
|
//~ Instance fields ================================================================================================
|
||||||
|
|
||||||
// ~ Instance fields
|
|
||||||
// ========================================================
|
|
||||||
private CaptchaServiceProxy captchaService;
|
private CaptchaServiceProxy captchaService;
|
||||||
private String captchaValidationParameter = "_captcha_parameter";
|
private String captchaValidationParameter = "_captcha_parameter";
|
||||||
|
|
||||||
@ -74,9 +70,9 @@ public class CaptchaValidationProcessingFilter implements InitializingBean, Filt
|
|||||||
|
|
||||||
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
|
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
|
||||||
throws IOException, ServletException {
|
throws IOException, ServletException {
|
||||||
String captcha_reponse = request.getParameter(captchaValidationParameter);
|
String captchaResponse = request.getParameter(captchaValidationParameter);
|
||||||
|
|
||||||
if ((request != null) && request instanceof HttpServletRequest && (captcha_reponse != null)) {
|
if ((request != null) && request instanceof HttpServletRequest && (captchaResponse != null)) {
|
||||||
logger.debug("captcha validation parameter found");
|
logger.debug("captcha validation parameter found");
|
||||||
|
|
||||||
// validate the request against CaptchaServiceProxy
|
// validate the request against CaptchaServiceProxy
|
||||||
@ -89,7 +85,7 @@ public class CaptchaValidationProcessingFilter implements InitializingBean, Filt
|
|||||||
|
|
||||||
if (session != null) {
|
if (session != null) {
|
||||||
String id = session.getId();
|
String id = session.getId();
|
||||||
valid = this.captchaService.validateReponseForId(id, captcha_reponse);
|
valid = this.captchaService.validateReponseForId(id, captchaResponse);
|
||||||
logger.debug("captchaServiceProxy says : request is valid = " + valid);
|
logger.debug("captchaServiceProxy says : request is valid = " + valid);
|
||||||
|
|
||||||
if (valid) {
|
if (valid) {
|
||||||
@ -114,8 +110,6 @@ public class CaptchaValidationProcessingFilter implements InitializingBean, Filt
|
|||||||
chain.doFilter(request, response);
|
chain.doFilter(request, response);
|
||||||
}
|
}
|
||||||
|
|
||||||
// ~ Methods
|
|
||||||
// ================================================================
|
|
||||||
public CaptchaServiceProxy getCaptchaService() {
|
public CaptchaServiceProxy getCaptchaService() {
|
||||||
return captchaService;
|
return captchaService;
|
||||||
}
|
}
|
||||||
|
@ -41,7 +41,7 @@ public interface ConcurrentSessionController {
|
|||||||
*
|
*
|
||||||
* @throws AuthenticationException if the user has exceeded their maximum allowed current sessions
|
* @throws AuthenticationException if the user has exceeded their maximum allowed current sessions
|
||||||
*/
|
*/
|
||||||
public void checkAuthenticationAllowed(Authentication request)
|
void checkAuthenticationAllowed(Authentication request)
|
||||||
throws AuthenticationException;
|
throws AuthenticationException;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -51,5 +51,5 @@ public interface ConcurrentSessionController {
|
|||||||
*
|
*
|
||||||
* @param authentication the successfully authenticated user (never <code>null</code>)
|
* @param authentication the successfully authenticated user (never <code>null</code>)
|
||||||
*/
|
*/
|
||||||
public void registerSuccessfulAuthentication(Authentication authentication);
|
void registerSuccessfulAuthentication(Authentication authentication);
|
||||||
}
|
}
|
||||||
|
@ -67,14 +67,16 @@ public class ConcurrentSessionControllerImpl implements ConcurrentSessionControl
|
|||||||
SessionRegistry registry) {
|
SessionRegistry registry) {
|
||||||
if (exceptionIfMaximumExceeded || (sessions == null)) {
|
if (exceptionIfMaximumExceeded || (sessions == null)) {
|
||||||
throw new ConcurrentLoginException(messages.getMessage("ConcurrentSessionControllerImpl.exceededAllowed",
|
throw new ConcurrentLoginException(messages.getMessage("ConcurrentSessionControllerImpl.exceededAllowed",
|
||||||
new Object[] {new Integer(allowableSessions)}, "Maximum sessions of {0} for this principal exceeded"));
|
new Object[] {new Integer(allowableSessions)},
|
||||||
|
"Maximum sessions of {0} for this principal exceeded"));
|
||||||
}
|
}
|
||||||
|
|
||||||
// Determine least recently used session, and mark it for invalidation
|
// Determine least recently used session, and mark it for invalidation
|
||||||
SessionInformation leastRecentlyUsed = null;
|
SessionInformation leastRecentlyUsed = null;
|
||||||
|
|
||||||
for (int i = 0; i < sessions.length; i++) {
|
for (int i = 0; i < sessions.length; i++) {
|
||||||
if ((leastRecentlyUsed == null) || sessions[i].getLastRequest().before(leastRecentlyUsed.getLastRequest())) {
|
if ((leastRecentlyUsed == null)
|
||||||
|
|| sessions[i].getLastRequest().before(leastRecentlyUsed.getLastRequest())) {
|
||||||
leastRecentlyUsed = sessions[i];
|
leastRecentlyUsed = sessions[i];
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -98,8 +100,8 @@ public class ConcurrentSessionControllerImpl implements ConcurrentSessionControl
|
|||||||
}
|
}
|
||||||
|
|
||||||
int allowableSessions = getMaximumSessionsForThisUser(request);
|
int allowableSessions = getMaximumSessionsForThisUser(request);
|
||||||
Assert.isTrue(allowableSessions != 0,
|
Assert.isTrue(allowableSessions != 0, "getMaximumSessionsForThisUser() must return either -1 to allow "
|
||||||
"getMaximumSessionsForThisUser() must return either -1 to allow unlimited logins, or a positive integer to specify a maximum");
|
+ "unlimited logins, or a positive integer to specify a maximum");
|
||||||
|
|
||||||
if (sessionCount < allowableSessions) {
|
if (sessionCount < allowableSessions) {
|
||||||
// They haven't got too many login sessions running at present
|
// They haven't got too many login sessions running at present
|
||||||
|
@ -18,7 +18,7 @@ package org.acegisecurity.concurrent;
|
|||||||
/**
|
/**
|
||||||
* Implemented by {@link org.acegisecurity.Authentication#getDetails()}
|
* Implemented by {@link org.acegisecurity.Authentication#getDetails()}
|
||||||
* implementations that are capable of returning a session ID.
|
* implementations that are capable of returning a session ID.
|
||||||
*
|
*
|
||||||
* <p>
|
* <p>
|
||||||
* This interface is used by {@link
|
* This interface is used by {@link
|
||||||
* org.acegisecurity.concurrent.SessionRegistryUtils} to extract the session
|
* org.acegisecurity.concurrent.SessionRegistryUtils} to extract the session
|
||||||
@ -40,5 +40,5 @@ public interface SessionIdentifierAware {
|
|||||||
*
|
*
|
||||||
* @return the session ID, or <code>null</code> if not known.
|
* @return the session ID, or <code>null</code> if not known.
|
||||||
*/
|
*/
|
||||||
public String getSessionId();
|
String getSessionId();
|
||||||
}
|
}
|
||||||
|
@ -29,7 +29,7 @@ public interface SessionRegistry {
|
|||||||
*
|
*
|
||||||
* @return each of the unique principals, which can then be presented to {@link #getAllSessions(Object, boolean)}.
|
* @return each of the unique principals, which can then be presented to {@link #getAllSessions(Object, boolean)}.
|
||||||
*/
|
*/
|
||||||
public Object[] getAllPrincipals();
|
Object[] getAllPrincipals();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Obtains all the known sessions for the specified principal. Sessions that have been destroyed are not
|
* Obtains all the known sessions for the specified principal. Sessions that have been destroyed are not
|
||||||
@ -41,7 +41,7 @@ public interface SessionRegistry {
|
|||||||
*
|
*
|
||||||
* @return the matching sessions for this principal, or <code>null</code> if none were found
|
* @return the matching sessions for this principal, or <code>null</code> if none were found
|
||||||
*/
|
*/
|
||||||
public SessionInformation[] getAllSessions(Object principal, boolean includeExpiredSessions);
|
SessionInformation[] getAllSessions(Object principal, boolean includeExpiredSessions);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Obtains the session information for the specified <code>sessionId</code>. Even expired sessions are
|
* Obtains the session information for the specified <code>sessionId</code>. Even expired sessions are
|
||||||
@ -51,7 +51,7 @@ public interface SessionRegistry {
|
|||||||
*
|
*
|
||||||
* @return the session information, or <code>null</code> if not found
|
* @return the session information, or <code>null</code> if not found
|
||||||
*/
|
*/
|
||||||
public SessionInformation getSessionInformation(String sessionId);
|
SessionInformation getSessionInformation(String sessionId);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Updates the given <code>sessionId</code> so its last request time is equal to the present date and time.
|
* Updates the given <code>sessionId</code> so its last request time is equal to the present date and time.
|
||||||
@ -59,7 +59,7 @@ public interface SessionRegistry {
|
|||||||
*
|
*
|
||||||
* @param sessionId for which to update the date and time of the last request (should never be <code>null</code>)
|
* @param sessionId for which to update the date and time of the last request (should never be <code>null</code>)
|
||||||
*/
|
*/
|
||||||
public void refreshLastRequest(String sessionId);
|
void refreshLastRequest(String sessionId);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Registers a new session for the specified principal. The newly registered session will not be marked for
|
* Registers a new session for the specified principal. The newly registered session will not be marked for
|
||||||
@ -70,7 +70,7 @@ public interface SessionRegistry {
|
|||||||
*
|
*
|
||||||
* @throws SessionAlreadyUsedException DOCUMENT ME!
|
* @throws SessionAlreadyUsedException DOCUMENT ME!
|
||||||
*/
|
*/
|
||||||
public void registerNewSession(String sessionId, Object principal)
|
void registerNewSession(String sessionId, Object principal)
|
||||||
throws SessionAlreadyUsedException;
|
throws SessionAlreadyUsedException;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -79,5 +79,5 @@ public interface SessionRegistry {
|
|||||||
*
|
*
|
||||||
* @param sessionId to delete information for (should never be <code>null</code>)
|
* @param sessionId to delete information for (should never be <code>null</code>)
|
||||||
*/
|
*/
|
||||||
public void removeSessionInformation(String sessionId);
|
void removeSessionInformation(String sessionId);
|
||||||
}
|
}
|
||||||
|
@ -28,7 +28,12 @@ import org.springframework.util.Assert;
|
|||||||
* @author Ben Alex
|
* @author Ben Alex
|
||||||
* @version $Id$
|
* @version $Id$
|
||||||
*/
|
*/
|
||||||
public class SessionRegistryUtils {
|
public final class SessionRegistryUtils {
|
||||||
|
//~ Constructors ===================================================================================================
|
||||||
|
|
||||||
|
private SessionRegistryUtils() {
|
||||||
|
}
|
||||||
|
|
||||||
//~ Methods ========================================================================================================
|
//~ Methods ========================================================================================================
|
||||||
|
|
||||||
public static Object obtainPrincipalFromAuthentication(Authentication auth) {
|
public static Object obtainPrincipalFromAuthentication(Authentication auth) {
|
||||||
|
@ -35,16 +35,22 @@ import org.springframework.util.ReflectionUtils;
|
|||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* <p>Populates the {@link SecurityContextHolder} with information obtained from the <code>HttpSession</code>.</p>
|
* Populates the {@link SecurityContextHolder} with information obtained from the <code>HttpSession</code>.
|
||||||
* <p>The <code>HttpSession</code> will be queried to retrieve the <code>SecurityContext</code> that should be
|
*
|
||||||
|
* <p>
|
||||||
|
* The <code>HttpSession</code> will be queried to retrieve the <code>SecurityContext</code> that should be
|
||||||
* stored against the <code>SecurityContextHolder</code> for the duration of the web request. At the end of the web
|
* stored against the <code>SecurityContextHolder</code> for the duration of the web request. At the end of the web
|
||||||
* request, any updates made to the <code>SecurityContextHolder</code> will be persisted back to the
|
* request, any updates made to the <code>SecurityContextHolder</code> will be persisted back to the
|
||||||
* <code>HttpSession</code> by this filter.</p>
|
* <code>HttpSession</code> by this filter.
|
||||||
* <p>If a valid <code>SecurityContext</code> cannot be obtained from the <code>HttpSession</code> for whatever
|
* </p>
|
||||||
|
* <p>
|
||||||
|
* If a valid <code>SecurityContext</code> cannot be obtained from the <code>HttpSession</code> for whatever
|
||||||
* reason, a fresh <code>SecurityContext</code> will be created and used instead. The created object will be of the
|
* reason, a fresh <code>SecurityContext</code> will be created and used instead. The created object will be of the
|
||||||
* instance defined by the {@link #setContext(Class)} method (which defaults to {@link
|
* instance defined by the {@link #setContext(Class)} method (which defaults to {@link
|
||||||
* org.acegisecurity.context.SecurityContextImpl}.</p>
|
* org.acegisecurity.context.SecurityContextImpl}.
|
||||||
* <p>No <code>HttpSession</code> will be created by this filter if one does not already exist. If at the end of
|
* </p>
|
||||||
|
* <p>
|
||||||
|
* No <code>HttpSession</code> will be created by this filter if one does not already exist. If at the end of
|
||||||
* the web request the <code>HttpSession</code> does not exist, a <code>HttpSession</code> will <b>only</b> be created
|
* the web request the <code>HttpSession</code> does not exist, a <code>HttpSession</code> will <b>only</b> be created
|
||||||
* if the current contents of the <code>SecurityContextHolder</code> are not {@link
|
* if the current contents of the <code>SecurityContextHolder</code> are not {@link
|
||||||
* java.lang.Object#equals(java.lang.Object)} to a <code>new</code> instance of {@link #setContext(Class)}. This
|
* java.lang.Object#equals(java.lang.Object)} to a <code>new</code> instance of {@link #setContext(Class)}. This
|
||||||
@ -52,19 +58,25 @@ import org.springframework.util.ReflectionUtils;
|
|||||||
* <code>SecurityContextHolder</code>. There is one exception to this rule, that is if the {@link
|
* <code>SecurityContextHolder</code>. There is one exception to this rule, that is if the {@link
|
||||||
* #forceEagerSessionCreation} property is <code>true</code>, in which case sessions will always be created
|
* #forceEagerSessionCreation} property is <code>true</code>, in which case sessions will always be created
|
||||||
* irrespective of normal session-minimisation logic (the default is <code>false</code>, as this is resource intensive
|
* irrespective of normal session-minimisation logic (the default is <code>false</code>, as this is resource intensive
|
||||||
* and not recommended).</p>
|
* and not recommended).
|
||||||
* <p>This filter will only execute once per request, to resolve servlet container (specifically Weblogic)
|
* </p>
|
||||||
|
* <p>
|
||||||
|
* This filter will only execute once per request, to resolve servlet container (specifically Weblogic)
|
||||||
* incompatibilities.</p>
|
* incompatibilities.</p>
|
||||||
* <p>If for whatever reason no <code>HttpSession</code> should <b>ever</b> be created (eg this filter is only
|
* <p>
|
||||||
|
* If for whatever reason no <code>HttpSession</code> should <b>ever</b> be created (eg this filter is only
|
||||||
* being used with Basic authentication or similar clients that will never present the same <code>jsessionid</code>
|
* being used with Basic authentication or similar clients that will never present the same <code>jsessionid</code>
|
||||||
* etc), the {@link #setAllowSessionCreation(boolean)} should be set to <code>false</code>. Only do this if you really
|
* etc), the {@link #setAllowSessionCreation(boolean)} should be set to <code>false</code>. Only do this if you really
|
||||||
* need to conserve server memory and ensure all classes using the <code>SecurityContextHolder</code> are designed to
|
* need to conserve server memory and ensure all classes using the <code>SecurityContextHolder</code> are designed to
|
||||||
* have no persistence of the <code>SecurityContext</code> between web requests. Please note that if {@link
|
* have no persistence of the <code>SecurityContext</code> between web requests. Please note that if {@link
|
||||||
* #forceEagerSessionCreation} is <code>true</code>, the <code>allowSessionCreation</code> must also be
|
* #forceEagerSessionCreation} is <code>true</code>, the <code>allowSessionCreation</code> must also be
|
||||||
* <code>true</code> (setting it to <code>false</code> will cause a startup time error).</p>
|
* <code>true</code> (setting it to <code>false</code> will cause a startup time error).
|
||||||
* <p>This filter MUST be executed BEFORE any authentication processing mechanisms. Authentication processing
|
* </p>
|
||||||
|
* <p>
|
||||||
|
* This filter MUST be executed BEFORE any authentication processing mechanisms. Authentication processing
|
||||||
* mechanisms (eg BASIC, CAS processing filters etc) expect the <code>SecurityContextHolder</code> to contain a valid
|
* mechanisms (eg BASIC, CAS processing filters etc) expect the <code>SecurityContextHolder</code> to contain a valid
|
||||||
* <code>SecurityContext</code> by the time they execute.</p>
|
* <code>SecurityContext</code> by the time they execute.
|
||||||
|
* </p>
|
||||||
*
|
*
|
||||||
* @author Ben Alex
|
* @author Ben Alex
|
||||||
* @author Patrick Burleson
|
* @author Patrick Burleson
|
||||||
@ -101,28 +113,28 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean, Fi
|
|||||||
* are conscious of the session creation overhead.
|
* are conscious of the session creation overhead.
|
||||||
*/
|
*/
|
||||||
private boolean forceEagerSessionCreation = false;
|
private boolean forceEagerSessionCreation = false;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Indicates whether the <code>SecurityContext</code> will be cloned from the <code>HttpSession</code>. The
|
* Indicates whether the <code>SecurityContext</code> will be cloned from the <code>HttpSession</code>. The
|
||||||
* default is to simply reference (ie the default is <code>false</code>). The default may cause issues if
|
* default is to simply reference (ie the default is <code>false</code>). The default may cause issues if
|
||||||
* concurrent threads need to have a different security identity from other threads being concurrently processed
|
* concurrent threads need to have a different security identity from other threads being concurrently processed
|
||||||
* that share the same <code>HttpSession</code>. In most normal environments this does not represent an issue,
|
* that share the same <code>HttpSession</code>. In most normal environments this does not represent an issue,
|
||||||
* as changes to the security identity in one thread is allowed to affect the security identitiy in other
|
* as changes to the security identity in one thread is allowed to affect the security identitiy in other
|
||||||
* threads associated with the same <code>HttpSession</code>. For unusual cases where this is not permitted,
|
* threads associated with the same <code>HttpSession</code>. For unusual cases where this is not permitted,
|
||||||
* change this value to <code>true</code> and ensure the {@link #context} is set to a <code>SecurityContext</code>
|
* change this value to <code>true</code> and ensure the {@link #context} is set to a <code>SecurityContext</code>
|
||||||
* that implements {@link Cloneable} and overrides the <code>clone()</code> method.
|
* that implements {@link Cloneable} and overrides the <code>clone()</code> method.
|
||||||
*/
|
*/
|
||||||
private boolean cloneFromHttpSession = false;
|
private boolean cloneFromHttpSession = false;
|
||||||
|
|
||||||
public boolean isCloneFromHttpSession() {
|
public boolean isCloneFromHttpSession() {
|
||||||
return cloneFromHttpSession;
|
return cloneFromHttpSession;
|
||||||
}
|
}
|
||||||
|
|
||||||
public void setCloneFromHttpSession(boolean cloneFromHttpSession) {
|
public void setCloneFromHttpSession(boolean cloneFromHttpSession) {
|
||||||
this.cloneFromHttpSession = cloneFromHttpSession;
|
this.cloneFromHttpSession = cloneFromHttpSession;
|
||||||
}
|
}
|
||||||
|
|
||||||
public HttpSessionContextIntegrationFilter() throws ServletException {
|
public HttpSessionContextIntegrationFilter() throws ServletException {
|
||||||
this.contextObject = generateNewContext();
|
this.contextObject = generateNewContext();
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -131,7 +143,8 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean, Fi
|
|||||||
public void afterPropertiesSet() throws Exception {
|
public void afterPropertiesSet() throws Exception {
|
||||||
if ((this.context == null) || (!SecurityContext.class.isAssignableFrom(this.context))) {
|
if ((this.context == null) || (!SecurityContext.class.isAssignableFrom(this.context))) {
|
||||||
throw new IllegalArgumentException(
|
throw new IllegalArgumentException(
|
||||||
"context must be defined and implement SecurityContext (typically use org.acegisecurity.context.SecurityContextImpl; existing class is "
|
"context must be defined and implement SecurityContext "
|
||||||
|
+ "(typically use org.acegisecurity.context.SecurityContextImpl; existing class is "
|
||||||
+ this.context + ")");
|
+ this.context + ")");
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -167,27 +180,27 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean, Fi
|
|||||||
httpSessionExistedAtStartOfRequest = true;
|
httpSessionExistedAtStartOfRequest = true;
|
||||||
|
|
||||||
Object contextFromSessionObject = httpSession.getAttribute(ACEGI_SECURITY_CONTEXT_KEY);
|
Object contextFromSessionObject = httpSession.getAttribute(ACEGI_SECURITY_CONTEXT_KEY);
|
||||||
|
|
||||||
// Clone if required (see SEC-356)
|
// Clone if required (see SEC-356)
|
||||||
if (cloneFromHttpSession) {
|
if (cloneFromHttpSession) {
|
||||||
Assert.isInstanceOf(Cloneable.class, contextFromSessionObject, "Context must implement Clonable and provide a Object.clone() method");
|
Assert.isInstanceOf(Cloneable.class, contextFromSessionObject,
|
||||||
try {
|
"Context must implement Clonable and provide a Object.clone() method");
|
||||||
Method m = contextFromSessionObject.getClass().getMethod("clone", new Class[] {});
|
try {
|
||||||
if (!m.isAccessible()) {
|
Method m = contextFromSessionObject.getClass().getMethod("clone", new Class[] {});
|
||||||
m.setAccessible(true);
|
if (!m.isAccessible()) {
|
||||||
}
|
m.setAccessible(true);
|
||||||
contextFromSessionObject = m.invoke(contextFromSessionObject, new Object[] {});
|
}
|
||||||
} catch (Exception ex) {
|
contextFromSessionObject = m.invoke(contextFromSessionObject, new Object[] {});
|
||||||
ReflectionUtils.handleReflectionException(ex);
|
} catch (Exception ex) {
|
||||||
}
|
ReflectionUtils.handleReflectionException(ex);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (contextFromSessionObject != null) {
|
if (contextFromSessionObject != null) {
|
||||||
if (contextFromSessionObject instanceof SecurityContext) {
|
if (contextFromSessionObject instanceof SecurityContext) {
|
||||||
if (logger.isDebugEnabled()) {
|
if (logger.isDebugEnabled()) {
|
||||||
logger.debug(
|
logger.debug("Obtained from ACEGI_SECURITY_CONTEXT a valid SecurityContext and "
|
||||||
"Obtained from ACEGI_SECURITY_CONTEXT a valid SecurityContext and set to SecurityContextHolder: '"
|
+ "set to SecurityContextHolder: '" + contextFromSessionObject + "'");
|
||||||
+ contextFromSessionObject + "'");
|
|
||||||
}
|
}
|
||||||
|
|
||||||
SecurityContextHolder.setContext((SecurityContext) contextFromSessionObject);
|
SecurityContextHolder.setContext((SecurityContext) contextFromSessionObject);
|
||||||
@ -195,23 +208,26 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean, Fi
|
|||||||
if (logger.isWarnEnabled()) {
|
if (logger.isWarnEnabled()) {
|
||||||
logger.warn("ACEGI_SECURITY_CONTEXT did not contain a SecurityContext but contained: '"
|
logger.warn("ACEGI_SECURITY_CONTEXT did not contain a SecurityContext but contained: '"
|
||||||
+ contextFromSessionObject
|
+ contextFromSessionObject
|
||||||
+ "'; are you improperly modifying the HttpSession directly (you should always use SecurityContextHolder) or using the HttpSession attribute reserved for this class? - new SecurityContext instance associated with SecurityContextHolder");
|
+ "'; are you improperly modifying the HttpSession directly "
|
||||||
|
+ "(you should always use SecurityContextHolder) or using the HttpSession attribute "
|
||||||
|
+ "reserved for this class? - new SecurityContext instance associated with "
|
||||||
|
+ "SecurityContextHolder");
|
||||||
}
|
}
|
||||||
|
|
||||||
SecurityContextHolder.setContext(generateNewContext());
|
SecurityContextHolder.setContext(generateNewContext());
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
if (logger.isDebugEnabled()) {
|
if (logger.isDebugEnabled()) {
|
||||||
logger.debug(
|
logger.debug("HttpSession returned null object for ACEGI_SECURITY_CONTEXT - new "
|
||||||
"HttpSession returned null object for ACEGI_SECURITY_CONTEXT - new SecurityContext instance associated with SecurityContextHolder");
|
+ "SecurityContext instance associated with SecurityContextHolder");
|
||||||
}
|
}
|
||||||
|
|
||||||
SecurityContextHolder.setContext(generateNewContext());
|
SecurityContextHolder.setContext(generateNewContext());
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
if (logger.isDebugEnabled()) {
|
if (logger.isDebugEnabled()) {
|
||||||
logger.debug(
|
logger.debug("No HttpSession currently exists - new SecurityContext instance "
|
||||||
"No HttpSession currently exists - new SecurityContext instance associated with SecurityContextHolder");
|
+ "associated with SecurityContextHolder");
|
||||||
}
|
}
|
||||||
|
|
||||||
SecurityContextHolder.setContext(generateNewContext());
|
SecurityContextHolder.setContext(generateNewContext());
|
||||||
@ -240,8 +256,8 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean, Fi
|
|||||||
|
|
||||||
if ((httpSession == null) && httpSessionExistedAtStartOfRequest) {
|
if ((httpSession == null) && httpSessionExistedAtStartOfRequest) {
|
||||||
if (logger.isDebugEnabled()) {
|
if (logger.isDebugEnabled()) {
|
||||||
logger.debug(
|
logger.debug("HttpSession is now null, but was not null at start of request; "
|
||||||
"HttpSession is now null, but was not null at start of request; session was invalidated, so do not create a new session");
|
+ "session was invalidated, so do not create a new session");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -249,8 +265,10 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean, Fi
|
|||||||
if ((httpSession == null) && !httpSessionExistedAtStartOfRequest) {
|
if ((httpSession == null) && !httpSessionExistedAtStartOfRequest) {
|
||||||
if (!allowSessionCreation) {
|
if (!allowSessionCreation) {
|
||||||
if (logger.isDebugEnabled()) {
|
if (logger.isDebugEnabled()) {
|
||||||
logger.debug(
|
logger.debug("The HttpSession is currently null, and the "
|
||||||
"The HttpSession is currently null, and the HttpSessionContextIntegrationFilter is prohibited from creating a HttpSession (because the allowSessionCreation property is false) - SecurityContext thus not stored for next request");
|
+ "HttpSessionContextIntegrationFilter is prohibited from creating an HttpSession "
|
||||||
|
+ "(because the allowSessionCreation property is false) - SecurityContext thus not "
|
||||||
|
+ "stored for next request");
|
||||||
}
|
}
|
||||||
} else if (!contextObject.equals(SecurityContextHolder.getContext())) {
|
} else if (!contextObject.equals(SecurityContextHolder.getContext())) {
|
||||||
if (logger.isDebugEnabled()) {
|
if (logger.isDebugEnabled()) {
|
||||||
@ -263,17 +281,15 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean, Fi
|
|||||||
} else {
|
} else {
|
||||||
if (logger.isDebugEnabled()) {
|
if (logger.isDebugEnabled()) {
|
||||||
logger.debug(
|
logger.debug(
|
||||||
"HttpSession is null, but SecurityContextHolder has not changed from default: ' "
|
"HttpSession is null, but SecurityContextHolder has not changed from default: ' "
|
||||||
+ SecurityContextHolder.getContext()
|
+ SecurityContextHolder.getContext()
|
||||||
+ "'; not creating HttpSession or storing SecurityContextHolder contents");
|
+ "'; not creating HttpSession or storing SecurityContextHolder contents");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// If HttpSession exists, store current SecurityContextHolder
|
// If HttpSession exists, store current SecurityContextHolder contents but only if SecurityContext has
|
||||||
// contents
|
// actually changed (see JIRA SEC-37)
|
||||||
// but only if SecurityContext has actually changed (see JIRA
|
|
||||||
// SEC-37)
|
|
||||||
if ((httpSession != null)
|
if ((httpSession != null)
|
||||||
&& (SecurityContextHolder.getContext().hashCode() != contextWhenChainProceeded)) {
|
&& (SecurityContextHolder.getContext().hashCode() != contextWhenChainProceeded)) {
|
||||||
httpSession.setAttribute(ACEGI_SECURITY_CONTEXT_KEY, SecurityContextHolder.getContext());
|
httpSession.setAttribute(ACEGI_SECURITY_CONTEXT_KEY, SecurityContextHolder.getContext());
|
||||||
|
@ -23,7 +23,7 @@ import java.io.Serializable;
|
|||||||
/**
|
/**
|
||||||
* Interface defining the minimum security information associated with the
|
* Interface defining the minimum security information associated with the
|
||||||
* current thread of execution.
|
* current thread of execution.
|
||||||
*
|
*
|
||||||
* <p>
|
* <p>
|
||||||
* The security context is stored in a {@link SecurityContextHolder}.
|
* The security context is stored in a {@link SecurityContextHolder}.
|
||||||
* </p>
|
* </p>
|
||||||
@ -39,7 +39,7 @@ public interface SecurityContext extends Serializable {
|
|||||||
*
|
*
|
||||||
* @return the <code>Authentication</code> or <code>null</code> if no authentication information is available
|
* @return the <code>Authentication</code> or <code>null</code> if no authentication information is available
|
||||||
*/
|
*/
|
||||||
public Authentication getAuthentication();
|
Authentication getAuthentication();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Changes the currently authenticated principal, or removes the authentication information.
|
* Changes the currently authenticated principal, or removes the authentication information.
|
||||||
@ -47,5 +47,5 @@ public interface SecurityContext extends Serializable {
|
|||||||
* @param authentication the new <code>Authentication</code> token, or <code>null</code> if no further
|
* @param authentication the new <code>Authentication</code> token, or <code>null</code> if no further
|
||||||
* authentication information should be stored
|
* authentication information should be stored
|
||||||
*/
|
*/
|
||||||
public void setAuthentication(Authentication authentication);
|
void setAuthentication(Authentication authentication);
|
||||||
}
|
}
|
||||||
|
@ -17,7 +17,7 @@ package org.acegisecurity.context;
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* A strategy for storing security context information against a thread.
|
* A strategy for storing security context information against a thread.
|
||||||
*
|
*
|
||||||
* <p>
|
* <p>
|
||||||
* The preferred strategy is loaded by {@link
|
* The preferred strategy is loaded by {@link
|
||||||
* org.acegisecurity.context.SecurityContextHolder}.
|
* org.acegisecurity.context.SecurityContextHolder}.
|
||||||
@ -32,14 +32,14 @@ public interface SecurityContextHolderStrategy {
|
|||||||
/**
|
/**
|
||||||
* Clears the current context.
|
* Clears the current context.
|
||||||
*/
|
*/
|
||||||
public void clearContext();
|
void clearContext();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Obtains the current context.
|
* Obtains the current context.
|
||||||
*
|
*
|
||||||
* @return a context (never <code>null</code> - create a default implementation if necessary)
|
* @return a context (never <code>null</code> - create a default implementation if necessary)
|
||||||
*/
|
*/
|
||||||
public SecurityContext getContext();
|
SecurityContext getContext();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Sets the current context.
|
* Sets the current context.
|
||||||
@ -47,5 +47,5 @@ public interface SecurityContextHolderStrategy {
|
|||||||
* @param context to the new argument (should never be <code>null</code>, although implementations must check if
|
* @param context to the new argument (should never be <code>null</code>, although implementations must check if
|
||||||
* <code>null</code> has been passed and throw an <code>IllegalArgumentException</code> in such cases)
|
* <code>null</code> has been passed and throw an <code>IllegalArgumentException</code> in such cases)
|
||||||
*/
|
*/
|
||||||
public void setContext(SecurityContext context);
|
void setContext(SecurityContext context);
|
||||||
}
|
}
|
||||||
|
@ -85,9 +85,8 @@ public class AuthenticationSimpleHttpInvokerRequestExecutor extends SimpleHttpIn
|
|||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
if (logger.isDebugEnabled()) {
|
if (logger.isDebugEnabled()) {
|
||||||
logger.debug(
|
logger.debug("Unable to set BASIC authentication header as SecurityContext did not provide "
|
||||||
"Unable to set BASIC authentication header as SecurityContext did not provide valid Authentication: "
|
+ "valid Authentication: " + auth);
|
||||||
+ auth);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -15,9 +15,7 @@
|
|||||||
|
|
||||||
package org.acegisecurity.event.authorization;
|
package org.acegisecurity.event.authorization;
|
||||||
|
|
||||||
import org.acegisecurity.AccessDecisionManager;
|
|
||||||
import org.acegisecurity.AccessDeniedException;
|
import org.acegisecurity.AccessDeniedException;
|
||||||
import org.acegisecurity.AfterInvocationManager;
|
|
||||||
import org.acegisecurity.Authentication;
|
import org.acegisecurity.Authentication;
|
||||||
import org.acegisecurity.ConfigAttributeDefinition;
|
import org.acegisecurity.ConfigAttributeDefinition;
|
||||||
|
|
||||||
@ -27,7 +25,8 @@ import org.acegisecurity.ConfigAttributeDefinition;
|
|||||||
* be authorized for the request.
|
* be authorized for the request.
|
||||||
*
|
*
|
||||||
* <p>This event might be thrown as a result of either an
|
* <p>This event might be thrown as a result of either an
|
||||||
* {@link AccessDecisionManager} or an {@link AfterInvocationManager}.
|
* {@link org.acegisecurity.AccessDecisionManager AccessDecisionManager} or an
|
||||||
|
* {@link org.acegisecurity.AfterInvocationManager AfterInvocationManager}.
|
||||||
*
|
*
|
||||||
* @author Ben Alex
|
* @author Ben Alex
|
||||||
* @version $Id$
|
* @version $Id$
|
||||||
@ -41,7 +40,7 @@ public class AuthorizationFailureEvent extends AbstractAuthorizationEvent {
|
|||||||
|
|
||||||
//~ Constructors ===================================================================================================
|
//~ Constructors ===================================================================================================
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Construct the event.
|
* Construct the event.
|
||||||
*
|
*
|
||||||
* @param secureObject the secure object
|
* @param secureObject the secure object
|
||||||
|
@ -23,8 +23,11 @@ import org.springframework.context.ApplicationListener;
|
|||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Outputs interceptor-related application events to Commons Logging.<P>All failures are logged at the warning
|
* Outputs interceptor-related application events to Commons Logging.
|
||||||
* level, with success events logged at the information level, and public invocation events logged at the debug level.</p>
|
* <p>
|
||||||
|
* All failures are logged at the warning level, with success events logged at the information level,
|
||||||
|
* and public invocation events logged at the debug level.
|
||||||
|
* </p>
|
||||||
*
|
*
|
||||||
* @author Ben Alex
|
* @author Ben Alex
|
||||||
* @version $Id$
|
* @version $Id$
|
||||||
@ -52,8 +55,9 @@ public class LoggerListener implements ApplicationListener {
|
|||||||
|
|
||||||
if (logger.isWarnEnabled()) {
|
if (logger.isWarnEnabled()) {
|
||||||
logger.warn("Security authorization failed due to: " + authEvent.getAccessDeniedException()
|
logger.warn("Security authorization failed due to: " + authEvent.getAccessDeniedException()
|
||||||
+ "; authenticated principal: " + authEvent.getAuthentication() + "; secure object: "
|
+ "; authenticated principal: " + authEvent.getAuthentication()
|
||||||
+ authEvent.getSource() + "; configuration attributes: " + authEvent.getConfigAttributeDefinition());
|
+ "; secure object: " + authEvent.getSource()
|
||||||
|
+ "; configuration attributes: " + authEvent.getConfigAttributeDefinition());
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -154,7 +154,7 @@ public abstract class AbstractSecurityInterceptor implements InitializingBean, A
|
|||||||
token.getAttr(), returnedObject);
|
token.getAttr(), returnedObject);
|
||||||
} catch (AccessDeniedException accessDeniedException) {
|
} catch (AccessDeniedException accessDeniedException) {
|
||||||
AuthorizationFailureEvent event = new AuthorizationFailureEvent(token.getSecureObject(),
|
AuthorizationFailureEvent event = new AuthorizationFailureEvent(token.getSecureObject(),
|
||||||
token.getAttr(), token.getAuthentication(), accessDeniedException);
|
token.getAttr(), token.getAuthentication(), accessDeniedException);
|
||||||
publishEvent(event);
|
publishEvent(event);
|
||||||
|
|
||||||
throw accessDeniedException;
|
throw accessDeniedException;
|
||||||
@ -196,7 +196,8 @@ public abstract class AbstractSecurityInterceptor implements InitializingBean, A
|
|||||||
if (iter == null) {
|
if (iter == null) {
|
||||||
if (logger.isWarnEnabled()) {
|
if (logger.isWarnEnabled()) {
|
||||||
logger.warn(
|
logger.warn(
|
||||||
"Could not validate configuration attributes as the MethodDefinitionSource did not return a ConfigAttributeDefinition Iterator");
|
"Could not validate configuration attributes as the MethodDefinitionSource did not return a "
|
||||||
|
+ "ConfigAttributeDefinition Iterator");
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
Set set = new HashSet();
|
Set set = new HashSet();
|
||||||
@ -239,8 +240,9 @@ public abstract class AbstractSecurityInterceptor implements InitializingBean, A
|
|||||||
ConfigAttributeDefinition attr = this.obtainObjectDefinitionSource().getAttributes(object);
|
ConfigAttributeDefinition attr = this.obtainObjectDefinitionSource().getAttributes(object);
|
||||||
|
|
||||||
if ((attr == null) && rejectPublicInvocations) {
|
if ((attr == null) && rejectPublicInvocations) {
|
||||||
throw new IllegalArgumentException(
|
throw new IllegalArgumentException("No public invocations are allowed via this AbstractSecurityInterceptor. "
|
||||||
"No public invocations are allowed via this AbstractSecurityInterceptor. This indicates a configuration error because the AbstractSecurityInterceptor.rejectPublicInvocations property is set to 'true'");
|
+ "This indicates a configuration error because the "
|
||||||
|
+ "AbstractSecurityInterceptor.rejectPublicInvocations property is set to 'true'");
|
||||||
}
|
}
|
||||||
|
|
||||||
if (attr != null) {
|
if (attr != null) {
|
||||||
@ -306,7 +308,8 @@ public abstract class AbstractSecurityInterceptor implements InitializingBean, A
|
|||||||
logger.debug("RunAsManager did not change Authentication object");
|
logger.debug("RunAsManager did not change Authentication object");
|
||||||
}
|
}
|
||||||
|
|
||||||
return new InterceptorStatusToken(authenticated, false, attr, object); // no further work post-invocation
|
// no further work post-invocation
|
||||||
|
return new InterceptorStatusToken(authenticated, false, attr, object);
|
||||||
} else {
|
} else {
|
||||||
if (logger.isDebugEnabled()) {
|
if (logger.isDebugEnabled()) {
|
||||||
logger.debug("Switching to RunAs Authentication: " + runAs.toString());
|
logger.debug("Switching to RunAs Authentication: " + runAs.toString());
|
||||||
@ -314,7 +317,8 @@ public abstract class AbstractSecurityInterceptor implements InitializingBean, A
|
|||||||
|
|
||||||
SecurityContextHolder.getContext().setAuthentication(runAs);
|
SecurityContextHolder.getContext().setAuthentication(runAs);
|
||||||
|
|
||||||
return new InterceptorStatusToken(authenticated, true, attr, object); // revert to token.Authenticated post-invocation
|
// revert to token.Authenticated post-invocation
|
||||||
|
return new InterceptorStatusToken(authenticated, true, attr, object);
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
if (logger.isDebugEnabled()) {
|
if (logger.isDebugEnabled()) {
|
||||||
@ -406,8 +410,8 @@ public abstract class AbstractSecurityInterceptor implements InitializingBean, A
|
|||||||
this.alwaysReauthenticate = alwaysReauthenticate;
|
this.alwaysReauthenticate = alwaysReauthenticate;
|
||||||
}
|
}
|
||||||
|
|
||||||
public void setApplicationEventPublisher(ApplicationEventPublisher eventPublisher) {
|
public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) {
|
||||||
this.eventPublisher = eventPublisher;
|
this.eventPublisher = applicationEventPublisher;
|
||||||
}
|
}
|
||||||
|
|
||||||
public void setAuthenticationManager(AuthenticationManager newManager) {
|
public void setAuthenticationManager(AuthenticationManager newManager) {
|
||||||
|
@ -42,7 +42,7 @@ public interface ObjectDefinitionSource {
|
|||||||
* @throws IllegalArgumentException if the passed object is not of a type supported by the
|
* @throws IllegalArgumentException if the passed object is not of a type supported by the
|
||||||
* <code>ObjectDefinitionSource</code> implementation
|
* <code>ObjectDefinitionSource</code> implementation
|
||||||
*/
|
*/
|
||||||
public ConfigAttributeDefinition getAttributes(Object object)
|
ConfigAttributeDefinition getAttributes(Object object)
|
||||||
throws IllegalArgumentException;
|
throws IllegalArgumentException;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -52,7 +52,7 @@ public interface ObjectDefinitionSource {
|
|||||||
*
|
*
|
||||||
* @return an iterator over all the <code>ConfigAttributeDefinition</code>s or <code>null</code> if unsupported
|
* @return an iterator over all the <code>ConfigAttributeDefinition</code>s or <code>null</code> if unsupported
|
||||||
*/
|
*/
|
||||||
public Iterator getConfigAttributeDefinitions();
|
Iterator getConfigAttributeDefinitions();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Indicates whether the <code>ObjectDefinitionSource</code> implementation is able to provide
|
* Indicates whether the <code>ObjectDefinitionSource</code> implementation is able to provide
|
||||||
@ -62,5 +62,5 @@ public interface ObjectDefinitionSource {
|
|||||||
*
|
*
|
||||||
* @return true if the implementation can process the indicated class
|
* @return true if the implementation can process the indicated class
|
||||||
*/
|
*/
|
||||||
public boolean supports(Class clazz);
|
boolean supports(Class clazz);
|
||||||
}
|
}
|
||||||
|
@ -86,7 +86,7 @@ public class MethodDefinitionAttributes extends AbstractMethodDefinitionSource {
|
|||||||
Method m = clazz.getDeclaredMethod(method.getName(), (Class[]) method.getParameterTypes());
|
Method m = clazz.getDeclaredMethod(method.getName(), (Class[]) method.getParameterTypes());
|
||||||
addMethodAttributes(definition, m);
|
addMethodAttributes(definition, m);
|
||||||
} catch (Exception e) {
|
} catch (Exception e) {
|
||||||
// this won't happen since we are getting a method from an interface that
|
// this won't happen since we are getting a method from an interface that
|
||||||
// the declaring class implements
|
// the declaring class implements
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -207,7 +207,8 @@ public class MethodDefinitionMap extends AbstractMethodDefinitionSource {
|
|||||||
try {
|
try {
|
||||||
// Look for the method on the current interface
|
// Look for the method on the current interface
|
||||||
Method interfaceMethod = clazz.getDeclaredMethod(method.getName(), (Class[]) method.getParameterTypes());
|
Method interfaceMethod = clazz.getDeclaredMethod(method.getName(), (Class[]) method.getParameterTypes());
|
||||||
ConfigAttributeDefinition interfaceAssigned = (ConfigAttributeDefinition) this.methodMap.get(interfaceMethod);
|
ConfigAttributeDefinition interfaceAssigned =
|
||||||
|
(ConfigAttributeDefinition) this.methodMap.get(interfaceMethod);
|
||||||
merge(definition, interfaceAssigned);
|
merge(definition, interfaceAssigned);
|
||||||
} catch (Exception e) {
|
} catch (Exception e) {
|
||||||
// skip this interface
|
// skip this interface
|
||||||
@ -236,7 +237,7 @@ public class MethodDefinitionMap extends AbstractMethodDefinitionSource {
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* Easier configuration of the instance, using {@link MethodDefinitionSourceMapping}.
|
* Easier configuration of the instance, using {@link MethodDefinitionSourceMapping}.
|
||||||
*
|
*
|
||||||
* @param mappings {@link List} of {@link MethodDefinitionSourceMapping} objects.
|
* @param mappings {@link List} of {@link MethodDefinitionSourceMapping} objects.
|
||||||
*/
|
*/
|
||||||
public void setMappings(List mappings) {
|
public void setMappings(List mappings) {
|
||||||
|
@ -30,8 +30,8 @@ import java.util.Properties;
|
|||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Property editor to assist with the setup of a {@link MethodDefinitionSource}.<p>The class creates and populates
|
* Property editor to assist with the setup of a {@link MethodDefinitionSource}.
|
||||||
* a {@link MethodDefinitionMap}.</p>
|
* <p>The class creates and populates a {@link MethodDefinitionMap}.</p>
|
||||||
*
|
*
|
||||||
* @author Ben Alex
|
* @author Ben Alex
|
||||||
* @version $Id$
|
* @version $Id$
|
||||||
|
@ -68,11 +68,12 @@ public class MethodDefinitionSourceAdvisor extends StaticMethodMatcherPointcutAd
|
|||||||
//~ Inner Classes ==================================================================================================
|
//~ Inner Classes ==================================================================================================
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Represents a <code>MethodInvocation</code>.<p>Required as <code>MethodDefinitionSource</code> only
|
* Represents a <code>MethodInvocation</code>.
|
||||||
* supports lookup of configuration attributes for <code>MethodInvocation</code>s.</p>
|
* <p>Required as <code>MethodDefinitionSource</code> only supports lookup of configuration attributes for
|
||||||
|
* <code>MethodInvocation</code>s.</p>
|
||||||
*/
|
*/
|
||||||
class InternalMethodInvocation implements MethodInvocation {
|
class InternalMethodInvocation implements MethodInvocation {
|
||||||
Method method;
|
private Method method;
|
||||||
|
|
||||||
public InternalMethodInvocation(Method method) {
|
public InternalMethodInvocation(Method method) {
|
||||||
this.method = method;
|
this.method = method;
|
||||||
|
@ -27,5 +27,5 @@ package org.acegisecurity.intercept.method.aspectj;
|
|||||||
public interface AspectJCallback {
|
public interface AspectJCallback {
|
||||||
//~ Methods ========================================================================================================
|
//~ Methods ========================================================================================================
|
||||||
|
|
||||||
public Object proceedWithObject();
|
Object proceedWithObject();
|
||||||
}
|
}
|
||||||
|
@ -28,9 +28,6 @@ import org.apache.commons.logging.LogFactory;
|
|||||||
* @version $Id$
|
* @version $Id$
|
||||||
*/
|
*/
|
||||||
public abstract class AbstractFilterInvocationDefinitionSource implements FilterInvocationDefinitionSource {
|
public abstract class AbstractFilterInvocationDefinitionSource implements FilterInvocationDefinitionSource {
|
||||||
//~ Static fields/initializers =====================================================================================
|
|
||||||
|
|
||||||
private static final Log logger = LogFactory.getLog(AbstractFilterInvocationDefinitionSource.class);
|
|
||||||
|
|
||||||
//~ Methods ========================================================================================================
|
//~ Methods ========================================================================================================
|
||||||
|
|
||||||
@ -47,9 +44,11 @@ public abstract class AbstractFilterInvocationDefinitionSource implements Filter
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* Performs the actual lookup of the relevant <code>ConfigAttributeDefinition</code> for the specified
|
* Performs the actual lookup of the relevant <code>ConfigAttributeDefinition</code> for the specified
|
||||||
* <code>FilterInvocation</code>.<P>Provided so subclasses need only to provide one basic method to
|
* <code>FilterInvocation</code>.
|
||||||
* properly interface with the <code>FilterInvocationDefinitionSource</code>.</p>
|
* <p>Provided so subclasses need only to provide one basic method to properly interface with the
|
||||||
* <P>Public visiblity so that tablibs or other view helper classes can access the
|
* <code>FilterInvocationDefinitionSource</code>.
|
||||||
|
* </p>
|
||||||
|
* <p>Public visiblity so that tablibs or other view helper classes can access the
|
||||||
* <code>ConfigAttributeDefinition</code> applying to a given URI pattern without needing to construct a mock
|
* <code>ConfigAttributeDefinition</code> applying to a given URI pattern without needing to construct a mock
|
||||||
* <code>FilterInvocation</code> and retrieving the attibutes via the {@link #getAttributes(Object)} method.</p>
|
* <code>FilterInvocation</code> and retrieving the attibutes via the {@link #getAttributes(Object)} method.</p>
|
||||||
*
|
*
|
||||||
@ -60,10 +59,6 @@ public abstract class AbstractFilterInvocationDefinitionSource implements Filter
|
|||||||
public abstract ConfigAttributeDefinition lookupAttributes(String url);
|
public abstract ConfigAttributeDefinition lookupAttributes(String url);
|
||||||
|
|
||||||
public boolean supports(Class clazz) {
|
public boolean supports(Class clazz) {
|
||||||
if (FilterInvocation.class.isAssignableFrom(clazz)) {
|
return FilterInvocation.class.isAssignableFrom(clazz);
|
||||||
return true;
|
|
||||||
} else {
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -28,9 +28,9 @@ import org.acegisecurity.ConfigAttributeDefinition;
|
|||||||
public interface FilterInvocationDefinitionMap {
|
public interface FilterInvocationDefinitionMap {
|
||||||
//~ Methods ========================================================================================================
|
//~ Methods ========================================================================================================
|
||||||
|
|
||||||
public void addSecureUrl(String expression, ConfigAttributeDefinition attr);
|
void addSecureUrl(String expression, ConfigAttributeDefinition attr);
|
||||||
|
|
||||||
public boolean isConvertUrlToLowercaseBeforeComparison();
|
boolean isConvertUrlToLowercaseBeforeComparison();
|
||||||
|
|
||||||
public void setConvertUrlToLowercaseBeforeComparison(boolean convertUrlToLowercaseBeforeComparison);
|
void setConvertUrlToLowercaseBeforeComparison(boolean convertUrlToLowercaseBeforeComparison);
|
||||||
}
|
}
|
||||||
|
@ -43,7 +43,8 @@ public class FilterInvocationDefinitionSourceEditor extends PropertyEditorSuppor
|
|||||||
//~ Static fields/initializers =====================================================================================
|
//~ Static fields/initializers =====================================================================================
|
||||||
|
|
||||||
private static final Log logger = LogFactory.getLog(FilterInvocationDefinitionSourceEditor.class);
|
private static final Log logger = LogFactory.getLog(FilterInvocationDefinitionSourceEditor.class);
|
||||||
public static final String DIRECTIVE_CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON = "CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON";
|
public static final String DIRECTIVE_CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON =
|
||||||
|
"CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON";
|
||||||
public static final String DIRECTIVE_PATTERN_TYPE_APACHE_ANT = "PATTERN_TYPE_APACHE_ANT";
|
public static final String DIRECTIVE_PATTERN_TYPE_APACHE_ANT = "PATTERN_TYPE_APACHE_ANT";
|
||||||
|
|
||||||
//~ Methods ========================================================================================================
|
//~ Methods ========================================================================================================
|
||||||
@ -79,7 +80,7 @@ public class FilterInvocationDefinitionSourceEditor extends PropertyEditorSuppor
|
|||||||
BufferedReader br = new BufferedReader(new StringReader(s));
|
BufferedReader br = new BufferedReader(new StringReader(s));
|
||||||
int counter = 0;
|
int counter = 0;
|
||||||
String line;
|
String line;
|
||||||
|
|
||||||
List mappings = new ArrayList();
|
List mappings = new ArrayList();
|
||||||
|
|
||||||
while (true) {
|
while (true) {
|
||||||
|
@ -24,7 +24,7 @@ import org.acegisecurity.ConfigAttribute;
|
|||||||
* Configuration entry for {@link FilterInvocationDefinitionSource}, that holds
|
* Configuration entry for {@link FilterInvocationDefinitionSource}, that holds
|
||||||
* the url to be protected and the {@link ConfigAttribute}s as {@link String}
|
* the url to be protected and the {@link ConfigAttribute}s as {@link String}
|
||||||
* that apply to that url.
|
* that apply to that url.
|
||||||
*
|
*
|
||||||
* @author <a href="mailto:carlos@apache.org">Carlos Sanchez</a>
|
* @author <a href="mailto:carlos@apache.org">Carlos Sanchez</a>
|
||||||
* @version $Id$
|
* @version $Id$
|
||||||
* @since 1.1
|
* @since 1.1
|
||||||
@ -37,7 +37,7 @@ public class FilterInvocationDefinitionSourceMapping {
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* Url to be secured.
|
* Url to be secured.
|
||||||
*
|
*
|
||||||
* @param url
|
* @param url
|
||||||
*/
|
*/
|
||||||
public void setUrl(String url) {
|
public void setUrl(String url) {
|
||||||
@ -46,7 +46,7 @@ public class FilterInvocationDefinitionSourceMapping {
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* Url to be secured.
|
* Url to be secured.
|
||||||
*
|
*
|
||||||
* @return the url
|
* @return the url
|
||||||
*/
|
*/
|
||||||
public String getUrl() {
|
public String getUrl() {
|
||||||
@ -55,15 +55,14 @@ public class FilterInvocationDefinitionSourceMapping {
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
*
|
*
|
||||||
* @param roles
|
* @param roles {@link List}<{@link String}>
|
||||||
* {@link List}<{@link String}>
|
|
||||||
*/
|
*/
|
||||||
public void setConfigAttributes(List roles) {
|
public void setConfigAttributes(List roles) {
|
||||||
this.configAttributes = roles;
|
this.configAttributes = roles;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
*
|
*
|
||||||
* @return {@link List}<{@link String}>
|
* @return {@link List}<{@link String}>
|
||||||
*/
|
*/
|
||||||
public List getConfigAttributes() {
|
public List getConfigAttributes() {
|
||||||
@ -72,7 +71,7 @@ public class FilterInvocationDefinitionSourceMapping {
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* Add a {@link ConfigAttribute} as {@link String}
|
* Add a {@link ConfigAttribute} as {@link String}
|
||||||
*
|
*
|
||||||
* @param configAttribute
|
* @param configAttribute
|
||||||
*/
|
*/
|
||||||
public void addConfigAttribute(String configAttribute) {
|
public void addConfigAttribute(String configAttribute) {
|
||||||
|
@ -42,15 +42,19 @@ import javax.naming.directory.InitialDirContext;
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* Encapsulates the information for connecting to an LDAP server and provides an access point for obtaining
|
* Encapsulates the information for connecting to an LDAP server and provides an access point for obtaining
|
||||||
* <tt>DirContext</tt> references.<p>The directory location is configured using by setting the constructor argument
|
* <tt>DirContext</tt> references.
|
||||||
|
* <p>
|
||||||
|
* The directory location is configured using by setting the constructor argument
|
||||||
* <tt>providerUrl</tt>. This should be in the form <tt>ldap://monkeymachine.co.uk:389/dc=acegisecurity,dc=org</tt>.
|
* <tt>providerUrl</tt>. This should be in the form <tt>ldap://monkeymachine.co.uk:389/dc=acegisecurity,dc=org</tt>.
|
||||||
* The Sun JNDI provider also supports lists of space-separated URLs, each of which will be tried in turn until a
|
* The Sun JNDI provider also supports lists of space-separated URLs, each of which will be tried in turn until a
|
||||||
* connection is obtained.</p>
|
* connection is obtained.
|
||||||
* <p>To obtain an initial context, the client calls the <tt>newInitialDirContext</tt> method. There are two
|
* </p>
|
||||||
* signatures - one with no arguments and one which allows binding with a specific username and password.</p>
|
* <p>To obtain an initial context, the client calls the <tt>newInitialDirContext</tt> method. There are two
|
||||||
* <p>The no-args version will bind anonymously unless a manager login has been configured using the properties
|
* signatures - one with no arguments and one which allows binding with a specific username and password.
|
||||||
|
* </p>
|
||||||
|
* <p>The no-args version will bind anonymously unless a manager login has been configured using the properties
|
||||||
* <tt>managerDn</tt> and <tt>managerPassword</tt>, in which case it will bind as the manager user.</p>
|
* <tt>managerDn</tt> and <tt>managerPassword</tt>, in which case it will bind as the manager user.</p>
|
||||||
* <p>Connection pooling is enabled by default for anonymous or manager connections, but not when binding as a
|
* <p>Connection pooling is enabled by default for anonymous or manager connections, but not when binding as a
|
||||||
* specific user.</p>
|
* specific user.</p>
|
||||||
*
|
*
|
||||||
* @author Robert Sanders
|
* @author Robert Sanders
|
||||||
@ -113,7 +117,7 @@ public class DefaultInitialDirContextFactory implements InitialDirContextFactory
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* Create and initialize an instance to the LDAP url provided
|
* Create and initialize an instance to the LDAP url provided
|
||||||
*
|
*
|
||||||
* @param providerUrl a String of the form <code>ldap://localhost:389/base_dn<code>
|
* @param providerUrl a String of the form <code>ldap://localhost:389/base_dn<code>
|
||||||
*/
|
*/
|
||||||
public DefaultInitialDirContextFactory(String providerUrl) {
|
public DefaultInitialDirContextFactory(String providerUrl) {
|
||||||
@ -124,7 +128,7 @@ public class DefaultInitialDirContextFactory implements InitialDirContextFactory
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* Set the LDAP url
|
* Set the LDAP url
|
||||||
*
|
*
|
||||||
* @param providerUrl a String of the form <code>ldap://localhost:389/base_dn<code>
|
* @param providerUrl a String of the form <code>ldap://localhost:389/base_dn<code>
|
||||||
*/
|
*/
|
||||||
private void setProviderUrl(String providerUrl) {
|
private void setProviderUrl(String providerUrl) {
|
||||||
@ -154,7 +158,7 @@ public class DefaultInitialDirContextFactory implements InitialDirContextFactory
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* Get the LDAP url
|
* Get the LDAP url
|
||||||
*
|
*
|
||||||
* @return the url
|
* @return the url
|
||||||
*/
|
*/
|
||||||
private String getProviderUrl() {
|
private String getProviderUrl() {
|
||||||
@ -175,8 +179,8 @@ public class DefaultInitialDirContextFactory implements InitialDirContextFactory
|
|||||||
try {
|
try {
|
||||||
return useLdapContext ? new InitialLdapContext(env, null) : new InitialDirContext(env);
|
return useLdapContext ? new InitialLdapContext(env, null) : new InitialDirContext(env);
|
||||||
} catch (NamingException ne) {
|
} catch (NamingException ne) {
|
||||||
if ((ne instanceof javax.naming.AuthenticationException) ||
|
if ((ne instanceof javax.naming.AuthenticationException)
|
||||||
(ne instanceof OperationNotSupportedException)) {
|
|| (ne instanceof OperationNotSupportedException)) {
|
||||||
throw new BadCredentialsException(messages.getMessage("DefaultIntitalDirContextFactory.badCredentials",
|
throw new BadCredentialsException(messages.getMessage("DefaultIntitalDirContextFactory.badCredentials",
|
||||||
"Bad credentials"), ne);
|
"Bad credentials"), ne);
|
||||||
}
|
}
|
||||||
|
@ -27,6 +27,6 @@ import javax.naming.directory.DirContext;
|
|||||||
public interface LdapCallback {
|
public interface LdapCallback {
|
||||||
//~ Methods ========================================================================================================
|
//~ Methods ========================================================================================================
|
||||||
|
|
||||||
public Object doInDirContext(DirContext dirContext)
|
Object doInDirContext(DirContext dirContext)
|
||||||
throws NamingException;
|
throws NamingException;
|
||||||
}
|
}
|
||||||
|
@ -19,16 +19,16 @@ import javax.naming.NamingException;
|
|||||||
import javax.naming.directory.Attributes;
|
import javax.naming.directory.Attributes;
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A mapper for use with {@link LdapTemplate}. Creates a customized object from
|
* A mapper for use with {@link LdapTemplate}. Creates a customized object from
|
||||||
* a set of attributes retrieved from a directory entry.
|
* a set of attributes retrieved from a directory entry.
|
||||||
*
|
*
|
||||||
* @author Luke Taylor
|
* @author Luke Taylor
|
||||||
* @version $Id$
|
* @version $Id$
|
||||||
*/
|
*/
|
||||||
public interface LdapEntryMapper {
|
public interface LdapEntryMapper {
|
||||||
//~ Methods ========================================================================================================
|
//~ Methods ========================================================================================================
|
||||||
|
|
||||||
public Object mapAttributes(String dn, Attributes attributes)
|
Object mapAttributes(String dn, Attributes attributes)
|
||||||
throws NamingException;
|
throws NamingException;
|
||||||
}
|
}
|
||||||
|
@ -238,7 +238,8 @@ public class LdapTemplate {
|
|||||||
*
|
*
|
||||||
* @return the object created by the mapper from the matching entry
|
* @return the object created by the mapper from the matching entry
|
||||||
*
|
*
|
||||||
* @throws IncorrectResultSizeDataAccessException if no results are found or the search returns more than one result.
|
* @throws IncorrectResultSizeDataAccessException if no results are found or the search returns more than one
|
||||||
|
* result.
|
||||||
*/
|
*/
|
||||||
public Object searchForSingleEntry(final String base, final String filter, final Object[] params,
|
public Object searchForSingleEntry(final String base, final String filter, final Object[] params,
|
||||||
final LdapEntryMapper mapper) {
|
final LdapEntryMapper mapper) {
|
||||||
|
@ -32,11 +32,16 @@ import javax.naming.NamingException;
|
|||||||
* @author Luke Taylor
|
* @author Luke Taylor
|
||||||
* @version $Id$
|
* @version $Id$
|
||||||
*/
|
*/
|
||||||
public class LdapUtils {
|
public final class LdapUtils {
|
||||||
//~ Static fields/initializers =====================================================================================
|
//~ Static fields/initializers =====================================================================================
|
||||||
|
|
||||||
private static final Log logger = LogFactory.getLog(LdapUtils.class);
|
private static final Log logger = LogFactory.getLog(LdapUtils.class);
|
||||||
|
|
||||||
|
//~ Constructors ===================================================================================================
|
||||||
|
|
||||||
|
private LdapUtils() {
|
||||||
|
}
|
||||||
|
|
||||||
//~ Methods ========================================================================================================
|
//~ Methods ========================================================================================================
|
||||||
|
|
||||||
public static void closeContext(Context ctx) {
|
public static void closeContext(Context ctx) {
|
||||||
|
@ -124,7 +124,7 @@ public class FilterBasedLdapUserSearch implements LdapUserSearch {
|
|||||||
|
|
||||||
return user.createUserDetails();
|
return user.createUserDetails();
|
||||||
} catch (IncorrectResultSizeDataAccessException notFound) {
|
} catch (IncorrectResultSizeDataAccessException notFound) {
|
||||||
if(notFound.getActualSize() == 0) {
|
if (notFound.getActualSize() == 0) {
|
||||||
throw new UsernameNotFoundException("User " + username + " not found in directory.");
|
throw new UsernameNotFoundException("User " + username + " not found in directory.");
|
||||||
}
|
}
|
||||||
// Search should never return multiple results if properly configured, so just rethrow
|
// Search should never return multiple results if properly configured, so just rethrow
|
||||||
|
@ -42,17 +42,20 @@ public interface AuthenticationProvider {
|
|||||||
*
|
*
|
||||||
* @throws AuthenticationException if authentication fails.
|
* @throws AuthenticationException if authentication fails.
|
||||||
*/
|
*/
|
||||||
public Authentication authenticate(Authentication authentication)
|
Authentication authenticate(Authentication authentication)
|
||||||
throws AuthenticationException;
|
throws AuthenticationException;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Returns <code>true</code> if this <Code>AuthenticationProvider</code> supports the indicated
|
* Returns <code>true</code> if this <Code>AuthenticationProvider</code> supports the indicated
|
||||||
* <Code>Authentication</code> object.<p>Returning <code>true</code> does not guarantee an
|
* <Code>Authentication</code> object.
|
||||||
* <code>AuthenticationProvider</code> will be able to authenticate the presented instance of the
|
* <p>
|
||||||
* <code>Authentication</code> class. It simply indicates it can support closer evaluation of it. An
|
* Returning <code>true</code> does not guarantee an <code>AuthenticationProvider</code> will be able to
|
||||||
* <code>AuthenticationProvider</code> can still return <code>null</code> from the {@link
|
* authenticate the presented instance of the <code>Authentication</code> class. It simply indicates it can support
|
||||||
* #authenticate(Authentication)} method to indicate another <code>AuthenticationProvider</code> should be tried.</p>
|
* closer evaluation of it. An <code>AuthenticationProvider</code> can still return <code>null</code> from the
|
||||||
* <P>Selection of an <code>AuthenticationProvider</code> capable of performing authentication is
|
* {@link #authenticate(Authentication)} method to indicate another <code>AuthenticationProvider</code> should be
|
||||||
|
* tried.
|
||||||
|
* </p>
|
||||||
|
* <p>Selection of an <code>AuthenticationProvider</code> capable of performing authentication is
|
||||||
* conducted at runtime the <code>ProviderManager</code>.</p>
|
* conducted at runtime the <code>ProviderManager</code>.</p>
|
||||||
*
|
*
|
||||||
* @param authentication DOCUMENT ME!
|
* @param authentication DOCUMENT ME!
|
||||||
@ -60,5 +63,5 @@ public interface AuthenticationProvider {
|
|||||||
* @return <code>true</code> if the implementation can more closely evaluate the <code>Authentication</code> class
|
* @return <code>true</code> if the implementation can more closely evaluate the <code>Authentication</code> class
|
||||||
* presented
|
* presented
|
||||||
*/
|
*/
|
||||||
public boolean supports(Class authentication);
|
boolean supports(Class authentication);
|
||||||
}
|
}
|
||||||
|
@ -69,17 +69,22 @@ import java.util.Properties;
|
|||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Iterates an {@link Authentication} request through a list of {@link AuthenticationProvider}s. Can optionally be
|
* Iterates an {@link Authentication} request through a list of {@link AuthenticationProvider}s.
|
||||||
* configured with a {@link ConcurrentSessionController} to limit the number of sessions a user can have.<p><code>AuthenticationProvider</code>s
|
*
|
||||||
* are tried in order until one provides a non-null response. A non-null response indicates the provider had authority
|
* Can optionally be configured with a {@link ConcurrentSessionController} to limit the number of sessions a user can
|
||||||
* to decide on the authentication request and no further providers are tried. If an
|
* have.
|
||||||
* <code>AuthenticationException</code> is thrown by a provider, it is retained until subsequent providers are tried.
|
* <p>
|
||||||
* If a subsequent provider successfully authenticates the request, the earlier authentication exception is
|
* <code>AuthenticationProvider</code>s are tried in order until one provides a non-null response.
|
||||||
* disregarded and the successful authentication will be used. If no subsequent provider provides a non-null response,
|
* A non-null response indicates the provider had authority to decide on the authentication request and no further
|
||||||
* or a new <code>AuthenticationException</code>, the last <code>AuthenticationException</code> received will be used.
|
* providers are tried. If an <code>AuthenticationException</code> is thrown by a provider, it is retained until
|
||||||
* If no provider returns a non-null response, or indicates it can even process an <code>Authentication</code>, the
|
* subsequent providers are tried. If a subsequent provider successfully authenticates the request, the earlier
|
||||||
* <code>ProviderManager</code> will throw a <code>ProviderNotFoundException</code>.</p>
|
* authentication exception is disregarded and the successful authentication will be used. If no subsequent provider
|
||||||
* <p>If a valid <code>Authentication</code> is returned by an <code>AuthenticationProvider</code>, the
|
* provides a non-null response, or a new <code>AuthenticationException</code>, the last
|
||||||
|
* <code>AuthenticationException</code> received will be used. If no provider returns a non-null response, or indicates
|
||||||
|
* it can even process an <code>Authentication</code>, the <code>ProviderManager</code> will throw a
|
||||||
|
* <code>ProviderNotFoundException</code>.</p>
|
||||||
|
*
|
||||||
|
* <p>If a valid <code>Authentication</code> is returned by an <code>AuthenticationProvider</code>, the
|
||||||
* <code>ProviderManager</code> will publish an {@link
|
* <code>ProviderManager</code> will publish an {@link
|
||||||
* org.acegisecurity.event.authentication.AuthenticationSuccessEvent}. If an <code>AuthenticationException</code> is
|
* org.acegisecurity.event.authentication.AuthenticationSuccessEvent}. If an <code>AuthenticationException</code> is
|
||||||
* detected, the final <code>AuthenticationException</code> thrown will be used to publish an appropriate failure
|
* detected, the final <code>AuthenticationException</code> thrown will be used to publish an appropriate failure
|
||||||
@ -108,23 +113,25 @@ public class ProviderManager extends AbstractAuthenticationManager implements In
|
|||||||
|
|
||||||
static {
|
static {
|
||||||
DEFAULT_EXCEPTION_MAPPINGS.put(AccountExpiredException.class.getName(),
|
DEFAULT_EXCEPTION_MAPPINGS.put(AccountExpiredException.class.getName(),
|
||||||
AuthenticationFailureExpiredEvent.class.getName());
|
AuthenticationFailureExpiredEvent.class.getName());
|
||||||
DEFAULT_EXCEPTION_MAPPINGS.put(AuthenticationServiceException.class.getName(),
|
DEFAULT_EXCEPTION_MAPPINGS.put(AuthenticationServiceException.class.getName(),
|
||||||
AuthenticationFailureServiceExceptionEvent.class.getName());
|
AuthenticationFailureServiceExceptionEvent.class.getName());
|
||||||
DEFAULT_EXCEPTION_MAPPINGS.put(LockedException.class.getName(), AuthenticationFailureLockedEvent.class.getName());
|
DEFAULT_EXCEPTION_MAPPINGS.put(LockedException.class.getName(),
|
||||||
|
AuthenticationFailureLockedEvent.class.getName());
|
||||||
DEFAULT_EXCEPTION_MAPPINGS.put(CredentialsExpiredException.class.getName(),
|
DEFAULT_EXCEPTION_MAPPINGS.put(CredentialsExpiredException.class.getName(),
|
||||||
AuthenticationFailureCredentialsExpiredEvent.class.getName());
|
AuthenticationFailureCredentialsExpiredEvent.class.getName());
|
||||||
DEFAULT_EXCEPTION_MAPPINGS.put(DisabledException.class.getName(), AuthenticationFailureDisabledEvent.class.getName());
|
DEFAULT_EXCEPTION_MAPPINGS.put(DisabledException.class.getName(),
|
||||||
|
AuthenticationFailureDisabledEvent.class.getName());
|
||||||
DEFAULT_EXCEPTION_MAPPINGS.put(BadCredentialsException.class.getName(),
|
DEFAULT_EXCEPTION_MAPPINGS.put(BadCredentialsException.class.getName(),
|
||||||
AuthenticationFailureBadCredentialsEvent.class.getName());
|
AuthenticationFailureBadCredentialsEvent.class.getName());
|
||||||
DEFAULT_EXCEPTION_MAPPINGS.put(UsernameNotFoundException.class.getName(),
|
DEFAULT_EXCEPTION_MAPPINGS.put(UsernameNotFoundException.class.getName(),
|
||||||
AuthenticationFailureBadCredentialsEvent.class.getName());
|
AuthenticationFailureBadCredentialsEvent.class.getName());
|
||||||
DEFAULT_EXCEPTION_MAPPINGS.put(ConcurrentLoginException.class.getName(),
|
DEFAULT_EXCEPTION_MAPPINGS.put(ConcurrentLoginException.class.getName(),
|
||||||
AuthenticationFailureConcurrentLoginEvent.class.getName());
|
AuthenticationFailureConcurrentLoginEvent.class.getName());
|
||||||
DEFAULT_EXCEPTION_MAPPINGS.put(ProviderNotFoundException.class.getName(),
|
DEFAULT_EXCEPTION_MAPPINGS.put(ProviderNotFoundException.class.getName(),
|
||||||
AuthenticationFailureProviderNotFoundEvent.class.getName());
|
AuthenticationFailureProviderNotFoundEvent.class.getName());
|
||||||
DEFAULT_EXCEPTION_MAPPINGS.put(ProxyUntrustedException.class.getName(),
|
DEFAULT_EXCEPTION_MAPPINGS.put(ProxyUntrustedException.class.getName(),
|
||||||
AuthenticationFailureProxyUntrustedEvent.class.getName());
|
AuthenticationFailureProxyUntrustedEvent.class.getName());
|
||||||
}
|
}
|
||||||
|
|
||||||
public ProviderManager() {
|
public ProviderManager() {
|
||||||
@ -274,7 +281,8 @@ public class ProviderManager extends AbstractAuthenticationManager implements In
|
|||||||
|
|
||||||
while (iter.hasNext()) {
|
while (iter.hasNext()) {
|
||||||
Object currentObject = iter.next();
|
Object currentObject = iter.next();
|
||||||
Assert.isInstanceOf(AuthenticationProvider.class, currentObject, "Can only provide AuthenticationProvider instances");
|
Assert.isInstanceOf(AuthenticationProvider.class, currentObject,
|
||||||
|
"Can only provide AuthenticationProvider instances");
|
||||||
}
|
}
|
||||||
|
|
||||||
this.providers = newList;
|
this.providers = newList;
|
||||||
@ -290,9 +298,9 @@ public class ProviderManager extends AbstractAuthenticationManager implements In
|
|||||||
this.sessionController = sessionController;
|
this.sessionController = sessionController;
|
||||||
}
|
}
|
||||||
|
|
||||||
private void publishEvent( ApplicationEvent event ) {
|
private void publishEvent(ApplicationEvent event) {
|
||||||
if ( applicationEventPublisher != null ) {
|
if (applicationEventPublisher != null) {
|
||||||
applicationEventPublisher.publishEvent( event );
|
applicationEventPublisher.publishEvent(event);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -28,7 +28,7 @@ import org.acegisecurity.GrantedAuthority;
|
|||||||
public class TestingAuthenticationToken extends AbstractAuthenticationToken {
|
public class TestingAuthenticationToken extends AbstractAuthenticationToken {
|
||||||
//~ Instance fields ================================================================================================
|
//~ Instance fields ================================================================================================
|
||||||
|
|
||||||
private static final long serialVersionUID = 1L;
|
private static final long serialVersionUID = 1L;
|
||||||
private Object credentials;
|
private Object credentials;
|
||||||
private Object principal;
|
private Object principal;
|
||||||
|
|
||||||
|
@ -30,7 +30,7 @@ import org.acegisecurity.GrantedAuthority;
|
|||||||
public class UsernamePasswordAuthenticationToken extends AbstractAuthenticationToken {
|
public class UsernamePasswordAuthenticationToken extends AbstractAuthenticationToken {
|
||||||
//~ Instance fields ================================================================================================
|
//~ Instance fields ================================================================================================
|
||||||
|
|
||||||
private static final long serialVersionUID = 1L;
|
private static final long serialVersionUID = 1L;
|
||||||
private Object credentials;
|
private Object credentials;
|
||||||
private Object principal;
|
private Object principal;
|
||||||
|
|
||||||
|
@ -31,7 +31,7 @@ import java.io.Serializable;
|
|||||||
public class AnonymousAuthenticationToken extends AbstractAuthenticationToken implements Serializable {
|
public class AnonymousAuthenticationToken extends AbstractAuthenticationToken implements Serializable {
|
||||||
//~ Instance fields ================================================================================================
|
//~ Instance fields ================================================================================================
|
||||||
|
|
||||||
private static final long serialVersionUID = 1L;
|
private static final long serialVersionUID = 1L;
|
||||||
private Object principal;
|
private Object principal;
|
||||||
private int keyHash;
|
private int keyHash;
|
||||||
|
|
||||||
|
@ -35,7 +35,7 @@ import java.util.List;
|
|||||||
public class CasAuthenticationToken extends AbstractAuthenticationToken implements Serializable {
|
public class CasAuthenticationToken extends AbstractAuthenticationToken implements Serializable {
|
||||||
//~ Instance fields ================================================================================================
|
//~ Instance fields ================================================================================================
|
||||||
|
|
||||||
private static final long serialVersionUID = 1L;
|
private static final long serialVersionUID = 1L;
|
||||||
private final List proxyList;
|
private final List proxyList;
|
||||||
private final Object credentials;
|
private final Object credentials;
|
||||||
private final Object principal;
|
private final Object principal;
|
||||||
|
@ -23,16 +23,16 @@ import org.acegisecurity.userdetails.UserDetails;
|
|||||||
/**
|
/**
|
||||||
* Populates the <code>UserDetails</code> associated with a CAS authenticated
|
* Populates the <code>UserDetails</code> associated with a CAS authenticated
|
||||||
* user.
|
* user.
|
||||||
*
|
*
|
||||||
* <P>
|
* <p>
|
||||||
* CAS does not provide the authorities (roles) granted to a user. It merely
|
* CAS does not provide the authorities (roles) granted to a user. It merely
|
||||||
* authenticates their identity. As the Acegi Security System for Spring needs
|
* authenticates their identity. As the Acegi Security System for Spring needs
|
||||||
* to know the authorities granted to a user in order to construct a valid
|
* to know the authorities granted to a user in order to construct a valid
|
||||||
* <code>Authentication</code> object, implementations of this interface will
|
* <code>Authentication</code> object, implementations of this interface will
|
||||||
* provide this information.
|
* provide this information.
|
||||||
* </p>
|
* </p>
|
||||||
*
|
*
|
||||||
* <P>
|
* <p>
|
||||||
* A {@link UserDetails} is returned by implementations. The
|
* A {@link UserDetails} is returned by implementations. The
|
||||||
* <code>UserDetails</code> must, at minimum, contain the username and
|
* <code>UserDetails</code> must, at minimum, contain the username and
|
||||||
* <code>GrantedAuthority[]</code> objects applicable to the CAS-authenticated
|
* <code>GrantedAuthority[]</code> objects applicable to the CAS-authenticated
|
||||||
@ -43,8 +43,8 @@ import org.acegisecurity.userdetails.UserDetails;
|
|||||||
* generated <code>CasAuthenticationToken</code>, so additional properties
|
* generated <code>CasAuthenticationToken</code>, so additional properties
|
||||||
* such as email addresses, telephone numbers etc can easily be stored.
|
* such as email addresses, telephone numbers etc can easily be stored.
|
||||||
* </p>
|
* </p>
|
||||||
*
|
*
|
||||||
* <P>
|
* <p>
|
||||||
* Implementations should not perform any caching. They will only be called
|
* Implementations should not perform any caching. They will only be called
|
||||||
* when a refresh is required.
|
* when a refresh is required.
|
||||||
* </p>
|
* </p>
|
||||||
@ -65,6 +65,6 @@ public interface CasAuthoritiesPopulator {
|
|||||||
*
|
*
|
||||||
* @throws AuthenticationException DOCUMENT ME!
|
* @throws AuthenticationException DOCUMENT ME!
|
||||||
*/
|
*/
|
||||||
public UserDetails getUserDetails(String casUserId)
|
UserDetails getUserDetails(String casUserId)
|
||||||
throws AuthenticationException;
|
throws AuthenticationException;
|
||||||
}
|
}
|
||||||
|
@ -20,8 +20,8 @@ import java.util.List;
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* Decides whether a proxy list presented via CAS is trusted or not.
|
* Decides whether a proxy list presented via CAS is trusted or not.
|
||||||
*
|
*
|
||||||
* <P>
|
* <p>
|
||||||
* CAS 1.0 allowed services to receive a service ticket and then validate it.
|
* CAS 1.0 allowed services to receive a service ticket and then validate it.
|
||||||
* CAS 2.0 allows services to receive a service ticket and then validate it
|
* CAS 2.0 allows services to receive a service ticket and then validate it
|
||||||
* with a proxy callback URL. The callback will enable the CAS server to
|
* with a proxy callback URL. The callback will enable the CAS server to
|
||||||
@ -30,22 +30,22 @@ import java.util.List;
|
|||||||
* internal record that a proxy-granting ticket is due to be received via the
|
* internal record that a proxy-granting ticket is due to be received via the
|
||||||
* callback URL.
|
* callback URL.
|
||||||
* </p>
|
* </p>
|
||||||
*
|
*
|
||||||
* <P>
|
* <p>
|
||||||
* With a proxy-granting ticket, a service can request the CAS server provides
|
* With a proxy-granting ticket, a service can request the CAS server provides
|
||||||
* it with a proxy ticket. A proxy ticket is just a service ticket, but the
|
* it with a proxy ticket. A proxy ticket is just a service ticket, but the
|
||||||
* CAS server internally tracks the list (chain) of services used to build the
|
* CAS server internally tracks the list (chain) of services used to build the
|
||||||
* proxy ticket. The proxy ticket is then presented to the target service.
|
* proxy ticket. The proxy ticket is then presented to the target service.
|
||||||
* </p>
|
* </p>
|
||||||
*
|
*
|
||||||
* <P>
|
* <p>
|
||||||
* If this application is a target service of a proxy ticket, the
|
* If this application is a target service of a proxy ticket, the
|
||||||
* <code>CasProxyDecider</code> resolves whether or not the proxy list is
|
* <code>CasProxyDecider</code> resolves whether or not the proxy list is
|
||||||
* trusted. Applications should only trust services they allow to impersonate
|
* trusted. Applications should only trust services they allow to impersonate
|
||||||
* an end user.
|
* an end user.
|
||||||
* </p>
|
* </p>
|
||||||
*
|
*
|
||||||
* <P>
|
* <p>
|
||||||
* If this application is a service that should never accept proxy-granting
|
* If this application is a service that should never accept proxy-granting
|
||||||
* tickets, the implementation should reject tickets that present a proxy list
|
* tickets, the implementation should reject tickets that present a proxy list
|
||||||
* with any members. If the list has no members, it indicates the CAS server
|
* with any members. If the list has no members, it indicates the CAS server
|
||||||
@ -60,13 +60,14 @@ public interface CasProxyDecider {
|
|||||||
//~ Methods ========================================================================================================
|
//~ Methods ========================================================================================================
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Decides whether the proxy list is trusted.<P>Must throw any <code>ProxyUntrustedException</code> if the
|
* Decides whether the proxy list is trusted.
|
||||||
|
* <p>Must throw any <code>ProxyUntrustedException</code> if the
|
||||||
* proxy list is untrusted.</p>
|
* proxy list is untrusted.</p>
|
||||||
*
|
*
|
||||||
* @param proxyList DOCUMENT ME!
|
* @param proxyList the list of proxies to be checked.
|
||||||
*
|
*
|
||||||
* @throws ProxyUntrustedException DOCUMENT ME!
|
* @throws ProxyUntrustedException DOCUMENT ME!
|
||||||
*/
|
*/
|
||||||
public void confirmProxyListTrusted(List proxyList)
|
void confirmProxyListTrusted(List proxyList)
|
||||||
throws ProxyUntrustedException;
|
throws ProxyUntrustedException;
|
||||||
}
|
}
|
||||||
|
@ -17,7 +17,7 @@ package org.acegisecurity.providers.cas;
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* Caches CAS service tickets and CAS proxy tickets for stateless connections.
|
* Caches CAS service tickets and CAS proxy tickets for stateless connections.
|
||||||
*
|
*
|
||||||
* <p>
|
* <p>
|
||||||
* When a service ticket or proxy ticket is validated against the CAS server,
|
* When a service ticket or proxy ticket is validated against the CAS server,
|
||||||
* it is unable to be used again. Most types of callers are stateful and are
|
* it is unable to be used again. Most types of callers are stateful and are
|
||||||
@ -26,14 +26,14 @@ package org.acegisecurity.providers.cas;
|
|||||||
* <code>HttpSession</code>, meaning the removal of the ticket from the CAS
|
* <code>HttpSession</code>, meaning the removal of the ticket from the CAS
|
||||||
* server is not an issue.
|
* server is not an issue.
|
||||||
* </p>
|
* </p>
|
||||||
*
|
*
|
||||||
* <P>
|
* <P>
|
||||||
* Stateless callers, such as remoting protocols, cannot take advantage of
|
* Stateless callers, such as remoting protocols, cannot take advantage of
|
||||||
* <code>HttpSession</code>. If the stateless caller is located a significant
|
* <code>HttpSession</code>. If the stateless caller is located a significant
|
||||||
* network distance from the CAS server, acquiring a fresh service ticket or
|
* network distance from the CAS server, acquiring a fresh service ticket or
|
||||||
* proxy ticket for each invocation would be expensive.
|
* proxy ticket for each invocation would be expensive.
|
||||||
* </p>
|
* </p>
|
||||||
*
|
*
|
||||||
* <P>
|
* <P>
|
||||||
* To avoid this issue with stateless callers, it is expected stateless callers
|
* To avoid this issue with stateless callers, it is expected stateless callers
|
||||||
* will obtain a single service ticket or proxy ticket, and then present this
|
* will obtain a single service ticket or proxy ticket, and then present this
|
||||||
@ -41,7 +41,7 @@ package org.acegisecurity.providers.cas;
|
|||||||
* occasion. As no <code>HttpSession</code> is available for such callers, the
|
* occasion. As no <code>HttpSession</code> is available for such callers, the
|
||||||
* affirmative CAS validation outcome cannot be stored in this location.
|
* affirmative CAS validation outcome cannot be stored in this location.
|
||||||
* </p>
|
* </p>
|
||||||
*
|
*
|
||||||
* <P>
|
* <P>
|
||||||
* The <code>StatelessTicketCache</code> enables the service tickets and proxy
|
* The <code>StatelessTicketCache</code> enables the service tickets and proxy
|
||||||
* tickets belonging to stateless callers to be placed in a cache. This
|
* tickets belonging to stateless callers to be placed in a cache. This
|
||||||
@ -49,7 +49,7 @@ package org.acegisecurity.providers.cas;
|
|||||||
* providing the same capability as a <code>HttpSession</code> with the ticket
|
* providing the same capability as a <code>HttpSession</code> with the ticket
|
||||||
* identifier being the key rather than a session identifier.
|
* identifier being the key rather than a session identifier.
|
||||||
* </p>
|
* </p>
|
||||||
*
|
*
|
||||||
* <P>
|
* <P>
|
||||||
* Implementations should provide a reasonable timeout on stored entries, such
|
* Implementations should provide a reasonable timeout on stored entries, such
|
||||||
* that the stateless caller are not required to unnecessarily acquire fresh
|
* that the stateless caller are not required to unnecessarily acquire fresh
|
||||||
@ -65,7 +65,7 @@ public interface StatelessTicketCache {
|
|||||||
/**
|
/**
|
||||||
* Retrieves the <code>CasAuthenticationToken</code> associated with the
|
* Retrieves the <code>CasAuthenticationToken</code> associated with the
|
||||||
* specified ticket.
|
* specified ticket.
|
||||||
*
|
*
|
||||||
* <P>
|
* <P>
|
||||||
* If not found, returns a
|
* If not found, returns a
|
||||||
* <code>null</code><code>CasAuthenticationToken</code>.
|
* <code>null</code><code>CasAuthenticationToken</code>.
|
||||||
@ -73,11 +73,11 @@ public interface StatelessTicketCache {
|
|||||||
*
|
*
|
||||||
* @return the fully populated authentication token
|
* @return the fully populated authentication token
|
||||||
*/
|
*/
|
||||||
public CasAuthenticationToken getByTicketId(String serviceTicket);
|
CasAuthenticationToken getByTicketId(String serviceTicket);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Adds the specified <code>CasAuthenticationToken</code> to the cache.
|
* Adds the specified <code>CasAuthenticationToken</code> to the cache.
|
||||||
*
|
*
|
||||||
* <P>
|
* <P>
|
||||||
* The {@link CasAuthenticationToken#getCredentials()} method is used to
|
* The {@link CasAuthenticationToken#getCredentials()} method is used to
|
||||||
* retrieve the service ticket number.
|
* retrieve the service ticket number.
|
||||||
@ -85,12 +85,12 @@ public interface StatelessTicketCache {
|
|||||||
*
|
*
|
||||||
* @param token to be added to the cache
|
* @param token to be added to the cache
|
||||||
*/
|
*/
|
||||||
public void putTicketInCache(CasAuthenticationToken token);
|
void putTicketInCache(CasAuthenticationToken token);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Removes the specified ticket from the cache, as per {@link
|
* Removes the specified ticket from the cache, as per {@link
|
||||||
* #removeTicketFromCache(String)}.
|
* #removeTicketFromCache(String)}.
|
||||||
*
|
*
|
||||||
* <P>
|
* <P>
|
||||||
* Implementations should use {@link
|
* Implementations should use {@link
|
||||||
* CasAuthenticationToken#getCredentials()} to obtain the ticket and then
|
* CasAuthenticationToken#getCredentials()} to obtain the ticket and then
|
||||||
@ -99,12 +99,12 @@ public interface StatelessTicketCache {
|
|||||||
*
|
*
|
||||||
* @param token to be removed
|
* @param token to be removed
|
||||||
*/
|
*/
|
||||||
public void removeTicketFromCache(CasAuthenticationToken token);
|
void removeTicketFromCache(CasAuthenticationToken token);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Removes the specified ticket from the cache, meaning that future calls
|
* Removes the specified ticket from the cache, meaning that future calls
|
||||||
* will require a new service ticket.
|
* will require a new service ticket.
|
||||||
*
|
*
|
||||||
* <P>
|
* <P>
|
||||||
* This is in case applications wish to provide a session termination
|
* This is in case applications wish to provide a session termination
|
||||||
* capability for their stateless clients.
|
* capability for their stateless clients.
|
||||||
@ -112,5 +112,5 @@ public interface StatelessTicketCache {
|
|||||||
*
|
*
|
||||||
* @param serviceTicket to be removed
|
* @param serviceTicket to be removed
|
||||||
*/
|
*/
|
||||||
public void removeTicketFromCache(String serviceTicket);
|
void removeTicketFromCache(String serviceTicket);
|
||||||
}
|
}
|
||||||
|
@ -20,14 +20,14 @@ import org.acegisecurity.AuthenticationException;
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* Validates a CAS service ticket.
|
* Validates a CAS service ticket.
|
||||||
*
|
*
|
||||||
* <P>
|
* <p>
|
||||||
* Implementations must accept CAS proxy tickets, in addition to CAS service
|
* Implementations must accept CAS proxy tickets, in addition to CAS service
|
||||||
* tickets. If proxy tickets should be rejected, this is resolved by a {@link
|
* tickets. If proxy tickets should be rejected, this is resolved by a {@link
|
||||||
* CasProxyDecider} implementation (not by the <code>TicketValidator</code>).
|
* CasProxyDecider} implementation (not by the <code>TicketValidator</code>).
|
||||||
* </p>
|
* </p>
|
||||||
*
|
*
|
||||||
* <P>
|
* <p>
|
||||||
* Implementations may request a proxy granting ticket if wish, although this
|
* Implementations may request a proxy granting ticket if wish, although this
|
||||||
* behaviour is not mandatory.
|
* behaviour is not mandatory.
|
||||||
* </p>
|
* </p>
|
||||||
@ -48,6 +48,6 @@ public interface TicketValidator {
|
|||||||
*
|
*
|
||||||
* @throws AuthenticationException DOCUMENT ME!
|
* @throws AuthenticationException DOCUMENT ME!
|
||||||
*/
|
*/
|
||||||
public TicketResponse confirmTicketValid(String serviceTicket)
|
TicketResponse confirmTicketValid(String serviceTicket)
|
||||||
throws AuthenticationException;
|
throws AuthenticationException;
|
||||||
}
|
}
|
||||||
|
@ -66,7 +66,8 @@ public class RejectProxyTickets implements CasProxyDecider, MessageSourceAware,
|
|||||||
logger.debug("Proxies are unacceptable; proxy list provided: " + proxyList.toString());
|
logger.debug("Proxies are unacceptable; proxy list provided: " + proxyList.toString());
|
||||||
}
|
}
|
||||||
|
|
||||||
throw new ProxyUntrustedException(messages.getMessage("RejectProxyTickets.reject", "Proxy tickets are rejected"));
|
throw new ProxyUntrustedException(
|
||||||
|
messages.getMessage("RejectProxyTickets.reject", "Proxy tickets are rejected"));
|
||||||
}
|
}
|
||||||
|
|
||||||
public void setMessageSource(MessageSource messageSource) {
|
public void setMessageSource(MessageSource messageSource) {
|
||||||
|
@ -55,7 +55,9 @@ public class CasProxyTicketValidator extends AbstractTicketValidator {
|
|||||||
|
|
||||||
if (super.getServiceProperties().isSendRenew()) {
|
if (super.getServiceProperties().isSendRenew()) {
|
||||||
logger.warn(
|
logger.warn(
|
||||||
"The current CAS ProxyTicketValidator does not support the 'renew' property. The ticket cannot be validated as having been issued by a 'renew' authentication. It is expected this will be corrected in a future version of CAS' ProxyTicketValidator.");
|
"The current CAS ProxyTicketValidator does not support the 'renew' property. "
|
||||||
|
+ "The ticket cannot be validated as having been issued by a 'renew' authentication. "
|
||||||
|
+ "It is expected this will be corrected in a future version of CAS' ProxyTicketValidator.");
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((this.proxyCallbackUrl != null) && (!"".equals(this.proxyCallbackUrl))) {
|
if ((this.proxyCallbackUrl != null) && (!"".equals(this.proxyCallbackUrl))) {
|
||||||
@ -66,11 +68,13 @@ public class CasProxyTicketValidator extends AbstractTicketValidator {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Optional callback URL to obtain a proxy-granting ticket from CAS.<P>This callback URL belongs to the
|
* Optional callback URL to obtain a proxy-granting ticket from CAS.
|
||||||
* Acegi Security System for Spring secured application. We suggest you use CAS' <code>ProxyTicketReceptor</code>
|
* <p>This callback URL belongs to the Acegi Security System for Spring secured application. We suggest you use
|
||||||
* servlet to receive this callback and manage the proxy-granting ticket list. The callback URL is usually
|
* CAS' <code>ProxyTicketReceptor</code> servlet to receive this callback and manage the proxy-granting ticket list.
|
||||||
* something like <code>https://www.mycompany.com/application/casProxy/receptor</code>.</p>
|
* The callback URL is usually something like
|
||||||
* <P>If left <code>null</code>, the <code>CasAuthenticationToken</code> will not have a proxy granting
|
* <code>https://www.mycompany.com/application/casProxy/receptor</code>.
|
||||||
|
* </p>
|
||||||
|
* <p>If left <code>null</code>, the <code>CasAuthenticationToken</code> will not have a proxy granting
|
||||||
* ticket IOU and there will be no proxy-granting ticket callback. Accordingly, the Acegi Securty System for
|
* ticket IOU and there will be no proxy-granting ticket callback. Accordingly, the Acegi Securty System for
|
||||||
* Spring secured application will be unable to obtain a proxy ticket to call another CAS-secured service on
|
* Spring secured application will be unable to obtain a proxy ticket to call another CAS-secured service on
|
||||||
* behalf of the user. This is not really an issue for most applications.</p>
|
* behalf of the user. This is not really an issue for most applications.</p>
|
||||||
|
@ -44,15 +44,19 @@ import org.springframework.util.Assert;
|
|||||||
/**
|
/**
|
||||||
* A base {@link AuthenticationProvider} that allows subclasses to override and work with {@link
|
* A base {@link AuthenticationProvider} that allows subclasses to override and work with {@link
|
||||||
* org.acegisecurity.userdetails.UserDetails} objects. The class is designed to respond to {@link
|
* org.acegisecurity.userdetails.UserDetails} objects. The class is designed to respond to {@link
|
||||||
* UsernamePasswordAuthenticationToken} authentication requests.<p>Upon successful validation, a
|
* UsernamePasswordAuthenticationToken} authentication requests.
|
||||||
* <code>UsernamePasswordAuthenticationToken</code> will be created and returned to the caller. The token will include
|
*
|
||||||
* as its principal either a <code>String</code> representation of the username, or the {@link UserDetails} that was
|
* <p>
|
||||||
* returned from the authentication repository. Using <code>String</code> is appropriate if a container adapter is
|
* Upon successful validation, a <code>UsernamePasswordAuthenticationToken</code> will be created and returned to the
|
||||||
* being used, as it expects <code>String</code> representations of the username. Using <code>UserDetails</code> is
|
* caller. The token will include as its principal either a <code>String</code> representation of the username, or the
|
||||||
* appropriate if you require access to additional properties of the authenticated user, such as email addresses,
|
* {@link UserDetails} that was returned from the authentication repository. Using <code>String</code> is appropriate
|
||||||
* human-friendly names etc. As container adapters are not recommended to be used, and <code>UserDetails</code>
|
* if a container adapter is being used, as it expects <code>String</code> representations of the username.
|
||||||
* implementations provide additional flexibility, by default a <code>UserDetails</code> is returned. To override this
|
* Using <code>UserDetails</code> is appropriate if you require access to additional properties of the authenticated
|
||||||
* default, set the {@link #setForcePrincipalAsString} to <code>true</code>.</p>
|
* user, such as email addresses, human-friendly names etc. As container adapters are not recommended to be used,
|
||||||
|
* and <code>UserDetails</code> implementations provide additional flexibility, by default a <code>UserDetails</code>
|
||||||
|
* is returned. To override this
|
||||||
|
* default, set the {@link #setForcePrincipalAsString} to <code>true</code>.
|
||||||
|
* </p>
|
||||||
* <p>Caching is handled via the <code>UserDetails</code> object being placed in the {@link UserCache}. This
|
* <p>Caching is handled via the <code>UserDetails</code> object being placed in the {@link UserCache}. This
|
||||||
* ensures that subsequent requests with the same username can be validated without needing to query the {@link
|
* ensures that subsequent requests with the same username can be validated without needing to query the {@link
|
||||||
* UserDetailsService}. It should be noted that if a user appears to present an incorrect password, the {@link
|
* UserDetailsService}. It should be noted that if a user appears to present an incorrect password, the {@link
|
||||||
@ -145,15 +149,15 @@ public abstract class AbstractUserDetailsAuthenticationProvider implements Authe
|
|||||||
try {
|
try {
|
||||||
additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication);
|
additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication);
|
||||||
} catch (AuthenticationException exception) {
|
} catch (AuthenticationException exception) {
|
||||||
if(cacheWasUsed) {
|
if (cacheWasUsed) {
|
||||||
// There was a problem, so try again after checking
|
// There was a problem, so try again after checking
|
||||||
// we're using latest data (ie not from the cache)
|
// we're using latest data (ie not from the cache)
|
||||||
cacheWasUsed = false;
|
cacheWasUsed = false;
|
||||||
user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);
|
user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);
|
||||||
additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication);
|
additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication);
|
||||||
} else {
|
} else {
|
||||||
throw exception;
|
throw exception;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!user.isCredentialsNonExpired()) {
|
if (!user.isCredentialsNonExpired()) {
|
||||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
x
Reference in New Issue
Block a user