allow special ROLE_ prefix to be overriden

2025-07-12 13:23:29 +00:00 · 2004-04-14 03:38:10 +00:00 · 2004-04-14 03:38:10 +00:00 · fad252b0fe
commit fad252b0fe
parent a09f2a4c18
2 changed files with 80 additions and 13 deletions
--- a/core/src/main/java/org/acegisecurity/runas/RunAsManagerImpl.java
+++ b/core/src/main/java/org/acegisecurity/runas/RunAsManagerImpl.java
@ -38,19 +38,36 @@ import java.util.Vector;
 * containing the same principal, credentials and granted authorities as the
 * original {@link Authentication} object, along with {@link
 * GrantedAuthorityImpl}s for each <code>RUN_AS_</code> indicated. The created
- * <code>GrantedAuthorityImpl</code>s will be prefixed with <code>ROLE_</code>
+ * <code>GrantedAuthorityImpl</code>s will be prefixed with a special prefix
+ * indicating that it is a role (default prefix value is <code>ROLE_</code>),
 * and then the remainder of the <code>RUN_AS_</code> keyword. For example,
 * <code>RUN_AS_FOO</code> will result in the creation of a granted authority
 * of <code>ROLE_RUN_AS_FOO</code>.
 * </p>
 * 
+ * <p>
+ * The role prefix may be overriden from the default, to match that used
+ * elsewhere, for example when using an existing role database with another
+ * prefix. An empty role prefix may also be specified. Note however that there
+ * are potential issues with using an empty role prefix since different
+ * categories of  {@link net.sf.acegisecurity.ConfigAttribute} can not be
+ * properly discerned based on the prefix, with possible consequences when
+ * performing voting and other actions. However, this option may be of some
+ * use when using preexisting role names without a prefix, and no ability
+ * exists to prefix them with a role prefix on reading them in, such as
+ * provided for example in  {@link
+ * net.sf.acegisecurity.providers.dao.jdbc.JdbcDaoImpl}.
+ * </p>
+ *
 * @author Ben Alex
+ * @author colin sampaleanu
 * @version $Id$
 */
 public class RunAsManagerImpl implements RunAsManager, InitializingBean {
    //~ Instance fields ========================================================

    private String key;
+    private String rolePrefix = "ROLE_";

    //~ Methods ================================================================

@ -62,6 +79,20 @@ public class RunAsManagerImpl implements RunAsManager, InitializingBean {
        return key;
    }

+    /**
+     * Allows the default role prefix of <code>ROLE_</code> to be overriden.
+     * May be set to an empty value, although this is usually not desireable.
+     *
+     * @param rolePrefix the new prefix
+     */
+    public void setRolePrefix(String rolePrefix) {
+        this.rolePrefix = rolePrefix;
+    }
+
+    public String getRolePrefix() {
+        return rolePrefix;
+    }
+
    public void afterPropertiesSet() throws Exception {
        if (key == null) {
            throw new IllegalArgumentException(
@ -78,8 +109,8 @@ public class RunAsManagerImpl implements RunAsManager, InitializingBean {
            ConfigAttribute attribute = (ConfigAttribute) iter.next();

            if (this.supports(attribute)) {
-                GrantedAuthorityImpl extraAuthority = new GrantedAuthorityImpl(
-                        "ROLE_" + attribute.getAttribute());
+                GrantedAuthorityImpl extraAuthority = new GrantedAuthorityImpl(getRolePrefix()
+                        + attribute.getAttribute());
                newAuthorities.add(extraAuthority);
            }
        }
--- a/core/src/main/java/org/acegisecurity/vote/RoleVoter.java
+++ b/core/src/main/java/org/acegisecurity/vote/RoleVoter.java
@ -23,16 +23,33 @@ import java.util.Iterator;


 /**
- * Votes if any {@link ConfigAttribute#getAttribute()} is prefixed with
- * <Code>ROLE_</code>.
+ * <p>
+ * Votes if any {@link ConfigAttribute#getAttribute()} starts with a prefix
+ * indicating that it is a role. The default prefix string is
+ * <Code>ROLE_</code>, but this may be overriden to any value. It may also be
+ * set to empty, which means that essentially any attribute will be voted on.
+ * As described further below, the effect of an empty prefix may not be quite
+ * desireable.
+ * </p>
 * 
 * <p>
- * Abstains from voting if no configuration attribute commences with
- * <code>ROLE_</code>. Votes to grant access if there is an exact matching
- * {@link net.sf.acegisecurity.GrantedAuthority} to a
- * <code>ConfigAttribute</code> starting with <code>ROLE_</code>. Votes to
- * deny access if there is no exact matching <code>GrantedAuthority</code>  to
- * a <code>ConfigAttribute</code> starting with <code>ROLE_</code>.
+ * Abstains from voting if no configuration attribute commences with the  role
+ * prefix. Votes to grant access if there is an exact matching {@link
+ * net.sf.acegisecurity.GrantedAuthority} to a <code>ConfigAttribute</code>
+ * starting with the role prefix. Votes to deny access if there is no exact
+ * matching <code>GrantedAuthority</code>  to a <code>ConfigAttribute</code>
+ * starting with the role prefix.
+ * </p>
+ * 
+ * <p>
+ * An empty role prefix means that the voter will vote for every
+ * ConfigAttribute. When there are different categories of ConfigAttributes
+ * used, this will not be optimal since the voter will be voting for
+ * attributes which do not represent roles. However, this option may be of
+ * some use when using preexisting role names without a prefix, and no ability
+ * exists to prefix them with a role prefix on reading them in, such as
+ * provided for example in  {@link
+ * net.sf.acegisecurity.providers.dao.jdbc.JdbcDaoImpl}.
 * </p>
 * 
 * <p>
@ -40,14 +57,33 @@ import java.util.Iterator;
 * </p>
 *
 * @author Ben Alex
+ * @author colin sampaleanu
 * @version $Id$
 */
 public class RoleVoter implements AccessDecisionVoter {
+    //~ Instance fields ========================================================
+
+    private String rolePrefix = "ROLE_";
+
    //~ Methods ================================================================

+    /**
+     * Allows the default role prefix of <code>ROLE_</code> to be overriden.
+     * May be set to an empty value, although this is usually not desireable.
+     *
+     * @param rolePrefix the new prefix
+     */
+    public void setRolePrefix(String rolePrefix) {
+        this.rolePrefix = rolePrefix;
+    }
+
+    public String getRolePrefix() {
+        return rolePrefix;
+    }
+
    public boolean supports(ConfigAttribute attribute) {
        if ((attribute.getAttribute() != null)
-            && attribute.getAttribute().startsWith("ROLE_")) {
+            && attribute.getAttribute().startsWith(getRolePrefix())) {
            return true;
        } else {
            return false;