* Is activated if any {@link ConfigAttribute#getAttribute()} is prefixed with
- * RUN_AS_. If found, it generates a new {@link RunAsUserToken}
+ * RUN_AS_. If found, it generates a new {@link RunAsUserToken}
* containing the same principal, credentials and granted authorities as the
* original {@link Authentication} object, along with {@link
* GrantedAuthorityImpl}s for each RUN_AS_ indicated. The created
- * GrantedAuthorityImpls will be prefixed with ROLE_
+ * GrantedAuthorityImpls will be prefixed with a special prefix
+ * indicating that it is a role (default prefix value is ROLE_),
* and then the remainder of the RUN_AS_ keyword. For example,
* RUN_AS_FOO will result in the creation of a granted authority
* of ROLE_RUN_AS_FOO.
*
+ * The role prefix may be overriden from the default, to match that used + * elsewhere, for example when using an existing role database with another + * prefix. An empty role prefix may also be specified. Note however that there + * are potential issues with using an empty role prefix since different + * categories of {@link net.sf.acegisecurity.ConfigAttribute} can not be + * properly discerned based on the prefix, with possible consequences when + * performing voting and other actions. However, this option may be of some + * use when using preexisting role names without a prefix, and no ability + * exists to prefix them with a role prefix on reading them in, such as + * provided for example in {@link + * net.sf.acegisecurity.providers.dao.jdbc.JdbcDaoImpl}. + *
* * @author Ben Alex + * @author colin sampaleanu * @version $Id$ */ public class RunAsManagerImpl implements RunAsManager, InitializingBean { //~ Instance fields ======================================================== private String key; + private String rolePrefix = "ROLE_"; //~ Methods ================================================================ @@ -62,6 +79,20 @@ public class RunAsManagerImpl implements RunAsManager, InitializingBean { return key; } + /** + * Allows the default role prefix ofROLE_ to be overriden.
+ * May be set to an empty value, although this is usually not desireable.
+ *
+ * @param rolePrefix the new prefix
+ */
+ public void setRolePrefix(String rolePrefix) {
+ this.rolePrefix = rolePrefix;
+ }
+
+ public String getRolePrefix() {
+ return rolePrefix;
+ }
+
public void afterPropertiesSet() throws Exception {
if (key == null) {
throw new IllegalArgumentException(
@@ -78,8 +109,8 @@ public class RunAsManagerImpl implements RunAsManager, InitializingBean {
ConfigAttribute attribute = (ConfigAttribute) iter.next();
if (this.supports(attribute)) {
- GrantedAuthorityImpl extraAuthority = new GrantedAuthorityImpl(
- "ROLE_" + attribute.getAttribute());
+ GrantedAuthorityImpl extraAuthority = new GrantedAuthorityImpl(getRolePrefix()
+ + attribute.getAttribute());
newAuthorities.add(extraAuthority);
}
}
diff --git a/core/src/main/java/org/acegisecurity/vote/RoleVoter.java b/core/src/main/java/org/acegisecurity/vote/RoleVoter.java
index f0baada65f..8dc961d914 100644
--- a/core/src/main/java/org/acegisecurity/vote/RoleVoter.java
+++ b/core/src/main/java/org/acegisecurity/vote/RoleVoter.java
@@ -23,16 +23,33 @@ import java.util.Iterator;
/**
- * Votes if any {@link ConfigAttribute#getAttribute()} is prefixed with
- * ROLE_.
+ *
+ * Votes if any {@link ConfigAttribute#getAttribute()} starts with a prefix
+ * indicating that it is a role. The default prefix string is
+ * ROLE_, but this may be overriden to any value. It may also be
+ * set to empty, which means that essentially any attribute will be voted on.
+ * As described further below, the effect of an empty prefix may not be quite
+ * desireable.
+ *
- * Abstains from voting if no configuration attribute commences with
- * ROLE_. Votes to grant access if there is an exact matching
- * {@link net.sf.acegisecurity.GrantedAuthority} to a
- * ConfigAttribute starting with ROLE_. Votes to
- * deny access if there is no exact matching GrantedAuthority to
- * a ConfigAttribute starting with ROLE_.
+ * Abstains from voting if no configuration attribute commences with the role
+ * prefix. Votes to grant access if there is an exact matching {@link
+ * net.sf.acegisecurity.GrantedAuthority} to a ConfigAttribute
+ * starting with the role prefix. Votes to deny access if there is no exact
+ * matching GrantedAuthority to a ConfigAttribute
+ * starting with the role prefix.
+ *
+ * An empty role prefix means that the voter will vote for every + * ConfigAttribute. When there are different categories of ConfigAttributes + * used, this will not be optimal since the voter will be voting for + * attributes which do not represent roles. However, this option may be of + * some use when using preexisting role names without a prefix, and no ability + * exists to prefix them with a role prefix on reading them in, such as + * provided for example in {@link + * net.sf.acegisecurity.providers.dao.jdbc.JdbcDaoImpl}. *
* *@@ -40,14 +57,33 @@ import java.util.Iterator; *
* * @author Ben Alex + * @author colin sampaleanu * @version $Id$ */ public class RoleVoter implements AccessDecisionVoter { + //~ Instance fields ======================================================== + + private String rolePrefix = "ROLE_"; + //~ Methods ================================================================ + /** + * Allows the default role prefix ofROLE_ to be overriden.
+ * May be set to an empty value, although this is usually not desireable.
+ *
+ * @param rolePrefix the new prefix
+ */
+ public void setRolePrefix(String rolePrefix) {
+ this.rolePrefix = rolePrefix;
+ }
+
+ public String getRolePrefix() {
+ return rolePrefix;
+ }
+
public boolean supports(ConfigAttribute attribute) {
if ((attribute.getAttribute() != null)
- && attribute.getAttribute().startsWith("ROLE_")) {
+ && attribute.getAttribute().startsWith(getRolePrefix())) {
return true;
} else {
return false;