Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-07-12 21:33:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

allow special ROLE_ prefix to be overriden

Browse Source
This commit is contained in:
Colin Sampaleanu 2004-04-14 03:38:10 +00:00
parent a09f2a4c18
commit fad252b0fe
2 changed files with 80 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
core/src/main/java/org/acegisecurity/runas/RunAsManagerImpl.java
View File

@ -34,23 +34,40 @@ import java.util.Vector;
* *
* <p> * <p>
* Is activated if any {@link ConfigAttribute#getAttribute()} is prefixed with * Is activated if any {@link ConfigAttribute#getAttribute()} is prefixed with
* <Code>RUN_AS_</code>. If found, it generates a new {@link RunAsUserToken} * <Code>RUN_AS_</code>. If found, it generates a new {@link RunAsUserToken}
* containing the same principal, credentials and granted authorities as the * containing the same principal, credentials and granted authorities as the
* original {@link Authentication} object, along with {@link * original {@link Authentication} object, along with {@link
* GrantedAuthorityImpl}s for each <code>RUN_AS_</code> indicated. The created * GrantedAuthorityImpl}s for each <code>RUN_AS_</code> indicated. The created
* <code>GrantedAuthorityImpl</code>s will be prefixed with <code>ROLE_</code> * <code>GrantedAuthorityImpl</code>s will be prefixed with a special prefix
* indicating that it is a role (default prefix value is <code>ROLE_</code>),
* and then the remainder of the <code>RUN_AS_</code> keyword. For example, * and then the remainder of the <code>RUN_AS_</code> keyword. For example,
* <code>RUN_AS_FOO</code> will result in the creation of a granted authority * <code>RUN_AS_FOO</code> will result in the creation of a granted authority
* of <code>ROLE_RUN_AS_FOO</code>. * of <code>ROLE_RUN_AS_FOO</code>.
* </p> * </p>
* *
* <p>
* The role prefix may be overriden from the default, to match that used
* elsewhere, for example when using an existing role database with another
* prefix. An empty role prefix may also be specified. Note however that there
* are potential issues with using an empty role prefix since different
* categories of {@link net.sf.acegisecurity.ConfigAttribute} can not be
* properly discerned based on the prefix, with possible consequences when
* performing voting and other actions. However, this option may be of some
* use when using preexisting role names without a prefix, and no ability
* exists to prefix them with a role prefix on reading them in, such as
* provided for example in {@link
* net.sf.acegisecurity.providers.dao.jdbc.JdbcDaoImpl}.
* </p>
*
* @author Ben Alex * @author Ben Alex
* @author colin sampaleanu
* @version $Id$ * @version $Id$
*/ */
public class RunAsManagerImpl implements RunAsManager, InitializingBean { public class RunAsManagerImpl implements RunAsManager, InitializingBean {
//~ Instance fields ======================================================== //~ Instance fields ========================================================
private String key; private String key;
private String rolePrefix = "ROLE_";
//~ Methods ================================================================ //~ Methods ================================================================
@ -62,6 +79,20 @@ public class RunAsManagerImpl implements RunAsManager, InitializingBean {
return key; return key;
} }
/**
* Allows the default role prefix of <code>ROLE_</code> to be overriden.
* May be set to an empty value, although this is usually not desireable.
*
* @param rolePrefix the new prefix
*/
public void setRolePrefix(String rolePrefix) {
this.rolePrefix = rolePrefix;
}
public String getRolePrefix() {
return rolePrefix;
}
public void afterPropertiesSet() throws Exception { public void afterPropertiesSet() throws Exception {
if (key == null) { if (key == null) {
throw new IllegalArgumentException( throw new IllegalArgumentException(
@ -78,8 +109,8 @@ public class RunAsManagerImpl implements RunAsManager, InitializingBean {
ConfigAttribute attribute = (ConfigAttribute) iter.next(); ConfigAttribute attribute = (ConfigAttribute) iter.next();
if (this.supports(attribute)) { if (this.supports(attribute)) {
GrantedAuthorityImpl extraAuthority = new GrantedAuthorityImpl( GrantedAuthorityImpl extraAuthority = new GrantedAuthorityImpl(getRolePrefix()
"ROLE_" + attribute.getAttribute()); + attribute.getAttribute());
newAuthorities.add(extraAuthority); newAuthorities.add(extraAuthority);
} }
} }

54
core/src/main/java/org/acegisecurity/vote/RoleVoter.java
View File

@ -23,16 +23,33 @@ import java.util.Iterator;
/** /**
* Votes if any {@link ConfigAttribute#getAttribute()} is prefixed with * <p>
* <Code>ROLE_</code>. * Votes if any {@link ConfigAttribute#getAttribute()} starts with a prefix
* indicating that it is a role. The default prefix string is
* <Code>ROLE_</code>, but this may be overriden to any value. It may also be
* set to empty, which means that essentially any attribute will be voted on.
* As described further below, the effect of an empty prefix may not be quite
* desireable.
* </p>
* *
* <p> * <p>
* Abstains from voting if no configuration attribute commences with * Abstains from voting if no configuration attribute commences with the role
* <code>ROLE_</code>. Votes to grant access if there is an exact matching * prefix. Votes to grant access if there is an exact matching {@link
* {@link net.sf.acegisecurity.GrantedAuthority} to a * net.sf.acegisecurity.GrantedAuthority} to a <code>ConfigAttribute</code>
* <code>ConfigAttribute</code> starting with <code>ROLE_</code>. Votes to * starting with the role prefix. Votes to deny access if there is no exact
* deny access if there is no exact matching <code>GrantedAuthority</code> to * matching <code>GrantedAuthority</code> to a <code>ConfigAttribute</code>
* a <code>ConfigAttribute</code> starting with <code>ROLE_</code>. * starting with the role prefix.
* </p>
*
* <p>
* An empty role prefix means that the voter will vote for every
* ConfigAttribute. When there are different categories of ConfigAttributes
* used, this will not be optimal since the voter will be voting for
* attributes which do not represent roles. However, this option may be of
* some use when using preexisting role names without a prefix, and no ability
* exists to prefix them with a role prefix on reading them in, such as
* provided for example in {@link
* net.sf.acegisecurity.providers.dao.jdbc.JdbcDaoImpl}.
* </p> * </p>
* *
* <p> * <p>
@ -40,14 +57,33 @@ import java.util.Iterator;
* </p> * </p>
* *
* @author Ben Alex * @author Ben Alex
* @author colin sampaleanu
* @version $Id$ * @version $Id$
*/ */
public class RoleVoter implements AccessDecisionVoter { public class RoleVoter implements AccessDecisionVoter {
//~ Instance fields ========================================================
private String rolePrefix = "ROLE_";
//~ Methods ================================================================ //~ Methods ================================================================
/**
* Allows the default role prefix of <code>ROLE_</code> to be overriden.
* May be set to an empty value, although this is usually not desireable.
*
* @param rolePrefix the new prefix
*/
public void setRolePrefix(String rolePrefix) {
this.rolePrefix = rolePrefix;
}
public String getRolePrefix() {
return rolePrefix;
}
public boolean supports(ConfigAttribute attribute) { public boolean supports(ConfigAttribute attribute) {
if ((attribute.getAttribute() != null) if ((attribute.getAttribute() != null)
&& attribute.getAttribute().startsWith("ROLE_")) { && attribute.getAttribute().startsWith(getRolePrefix())) {
return true; return true;
} else { } else {
return false; return false;