Separating security into a part that depends only on the JPA and into a

[utils] / security / impl / src / main / java / org / wamblee / security / authorization / DefaultAuthorizationService.java

diff --git a/security/impl/src/main/java/org/wamblee/security/authorization/DefaultAuthorizationService.java b/security/impl/src/main/java/org/wamblee/security/authorization/DefaultAuthorizationService.java
new file mode 100644 (file)
index 0000000..c5a8d8f
--- /dev/null
+++ b/security/impl/src/main/java/org/wamblee/security/authorization/DefaultAuthorizationService.java
@@ -0,0 +1,190 @@
+/*
+ * Copyright 2005-2010 the original author or authors.
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */ 
+package org.wamblee.security.authorization;
+
+import org.wamblee.persistence.AbstractPersistent;
+
+import org.wamblee.usermgt.User;
+import org.wamblee.usermgt.UserAccessor;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * Default implementation of an authorization service. To determine whether
+ * access to a resource is allowed, the service consults a number of
+ * authorization rules in a fixed order. The first rule that gives a result
+ * GRANTED or DENIED determines the result of the evaluation. Rules that return
+ * any other result are ignoed. If none of the rules match, than access is
+ * denied.
+ * 
+ * @author Erik Brakkee
+ */
+public class DefaultAuthorizationService extends AbstractPersistent implements
+    AuthorizationService {
+    /**
+     * List of ordered authorization rules.
+     */
+    private List<AuthorizationRule> rules;
+
+    /**
+     * User accessor used to obtain the current user.
+     */
+    private UserAccessor userAccessor;
+
+    /**
+     * Name for this instance of the authorization service.
+     */
+    private String name;
+
+    /**
+     * Constructs the service.
+     * 
+     * @param aAccessor
+     *            User accessor.
+     * @param aName
+     *            Name of this instance of the service.
+     */
+    public DefaultAuthorizationService(UserAccessor aAccessor, String aName) {
+        rules = new ArrayList<AuthorizationRule>();
+        userAccessor = aAccessor;
+        name = aName;
+    }
+
+    /**
+     * Constructs the authorization service.
+     */
+    public DefaultAuthorizationService() {
+        rules = new ArrayList<AuthorizationRule>();
+        userAccessor = null;
+        name = null;
+    }
+
+    /**
+     * Sets the user accessor.
+     * 
+     * @param aUserAccessor
+     *            User accessor.
+     */
+    public void setUserAccessor(UserAccessor aUserAccessor) {
+        userAccessor = aUserAccessor;
+    }
+
+    /*
+     * (non-Javadoc)
+     * 
+     * @see
+     * org.wamblee.security.authorization.AuthorizationService#isAllowed(java
+     * .lang.Object, org.wamblee.security.authorization.Operation)
+     */
+    public boolean isAllowed(Object aResource, Operation aOperation) {
+        User user = userAccessor.getCurrentUser();
+
+        for (AuthorizationRule rule : rules) {
+            switch (rule.isAllowed(aResource, aOperation, user)) {
+            case DENIED:
+                return false;
+
+            case GRANTED:
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    /*
+     * (non-Javadoc)
+     * 
+     * @see org.wamblee.security.authorization.AuthorizationService#check(T,
+     * org.wamblee.security.authorization.Operation)
+     */
+    public <T> T check(T aResource, Operation aOperation) {
+        if (!isAllowed(aResource, aOperation)) {
+            throw new AuthorizationException(aResource, aOperation);
+        }
+
+        return aResource;
+    }
+
+    protected String getName() {
+        return name;
+    }
+
+    public void setName(String aName) {
+        name = aName;
+    }
+
+    /*
+     * (non-Javadoc)
+     * 
+     * @see org.wamblee.security.authorization.AuthorizationService#getRules()
+     */
+    public AuthorizationRule[] getRules() {
+        return rules.toArray(new AuthorizationRule[0]);
+    }
+
+    /*
+     * (non-Javadoc)
+     * 
+     * @see
+     * org.wamblee.security.authorization.AuthorizationService#appendRule(org
+     * .wamblee.security.authorization.AuthorizationRule)
+     */
+    public void appendRule(AuthorizationRule aRule) {
+        rules.add(aRule);
+    }
+
+    /*
+     * (non-Javadoc)
+     * 
+     * @see
+     * org.wamblee.security.authorization.AuthorizationService#insertRuleAfter
+     * (int, org.wamblee.security.authorization.AuthorizationRule)
+     */
+    public void insertRuleAfter(int aIndex, AuthorizationRule aRule) {
+        rules.add(aIndex, aRule);
+    }
+
+    /*
+     * (non-Javadoc)
+     * 
+     * @see
+     * org.wamblee.security.authorization.AuthorizationService#removeRule(int)
+     */
+    public void removeRule(int aIndex) {
+        rules.remove(aIndex);
+    }
+
+    /**
+     * For OR mapping.
+     * 
+     * @return The rules.
+     */
+    protected List<AuthorizationRule> getMappedRules() {
+        return rules;
+    }
+
+    /**
+     * For OR mapping.
+     * 
+     * @param aRules
+     *            The rules.
+     */
+    protected void setMappedRules(List<AuthorizationRule> aRules) {
+        rules = aRules;
+    }
+}