--- /dev/null
+/*
+ * Copyright 2005-2010 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.wamblee.security.authorization;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.persistence.CascadeType;
+import javax.persistence.DiscriminatorValue;
+import javax.persistence.Entity;
+import javax.persistence.JoinColumn;
+import javax.persistence.JoinTable;
+import javax.persistence.OneToMany;
+import javax.persistence.OrderColumn;
+import javax.persistence.Transient;
+
+import org.wamblee.security.authentication.UserAccessor;
+import org.wamblee.security.authentication.UserAdministration;
+
+/**
+ * Default implementation of an authorization service. To determine whether
+ * access to a resource is allowed, the service consults a number of
+ * authorization rules in a fixed order. The first rule that gives a result
+ * GRANTED or DENIED determines the result of the evaluation. Rules that return
+ * any other result are ignoed. If none of the rules match, than access is
+ * denied.
+ *
+ * @author Erik Brakkee
+ */
+@Entity
+@DiscriminatorValue("DEFAULT")
+public class DefaultAuthorizationService extends AbstractAuthorizationService {
+
+ /**
+ * List of ordered authorization rules.
+ */
+ @OneToMany(cascade = CascadeType.ALL, orphanRemoval = true, targetEntity = AbstractAuthorizationRule.class)
+ @JoinTable(name = "SEC_AUTH_SVC_RULE", joinColumns = { @JoinColumn(name = "SVC_ID") }, inverseJoinColumns = { @JoinColumn(name = "RULE_ID") })
+ @OrderColumn(name = "RULE_INDEX")
+ private List<AuthorizationRule> rules;
+
+ /**
+ * User accessor used to obtain the current user.
+ */
+ @Transient
+ private UserAccessor userAccessor;
+
+ @Transient
+ private UserAdministration userAdmin;
+
+ /**
+ * Constructs the service.
+ *
+ * @param aAccessor
+ * User accessor.
+ * @param aUserAdmin
+ * User administration.
+ * @param aName
+ * Name of this instance of the service.
+ */
+ public DefaultAuthorizationService(UserAccessor aAccessor,
+ UserAdministration aUserAdmin, String aName) {
+ super(aName);
+ rules = new ArrayList<AuthorizationRule>();
+ userAccessor = aAccessor;
+ userAdmin = aUserAdmin;
+ }
+
+ /**
+ * Constructs the authorization service.
+ */
+ public DefaultAuthorizationService() {
+ rules = new ArrayList<AuthorizationRule>();
+ userAccessor = null;
+ userAdmin = null;
+ }
+
+ @Override
+ public void setUserAccessor(UserAccessor aUserAccessor) {
+ userAccessor = aUserAccessor;
+ }
+
+ @Override
+ public void setUserAdministration(UserAdministration aUserAdmin) {
+ userAdmin = aUserAdmin;
+ for (AuthorizationRule rule : rules) {
+ rule.setUserAdministration(userAdmin);
+ }
+ }
+
+ /*
+ * (non-Javadoc)
+ *
+ * @see
+ * org.wamblee.security.authorization.AuthorizationService#isAllowed(java
+ * .lang.Object, org.wamblee.security.authorization.Operation)
+ */
+ public boolean isAllowed(Object aResource, Operation aOperation) {
+ String user = userAccessor.getCurrentUser();
+
+ for (AuthorizationRule rule : rules) {
+ switch (rule.isAllowed(aResource, aOperation, user)) {
+ case DENIED:
+ return false;
+
+ case GRANTED:
+ return true;
+ }
+ }
+
+ return false;
+ }
+
+ /*
+ * (non-Javadoc)
+ *
+ * @see org.wamblee.security.authorization.AuthorizationService#check(T,
+ * org.wamblee.security.authorization.Operation)
+ */
+ public <T> T check(T aResource, Operation aOperation) {
+ if (!isAllowed(aResource, aOperation)) {
+ throw new AuthorizationException(aResource, aOperation);
+ }
+
+ return aResource;
+ }
+
+ /*
+ * (non-Javadoc)
+ *
+ * @see org.wamblee.security.authorization.AuthorizationService#getRules()
+ */
+ public AuthorizationRule[] getRules() {
+ return rules.toArray(new AbstractAuthorizationRule[0]);
+ }
+
+ /*
+ * (non-Javadoc)
+ *
+ * @see
+ * org.wamblee.security.authorization.AuthorizationService#appendRule(org
+ * .wamblee.security.authorization.AuthorizationRule)
+ */
+ public void appendRule(AuthorizationRule aRule) {
+ aRule.setUserAdministration(userAdmin);
+ rules.add(aRule);
+ }
+
+ /*
+ * (non-Javadoc)
+ *
+ * @see
+ * org.wamblee.security.authorization.AuthorizationService#insertRuleAfter
+ * (int, org.wamblee.security.authorization.AuthorizationRule)
+ */
+ public void insertRuleAfter(int aIndex, AuthorizationRule aRule) {
+ aRule.setUserAdministration(userAdmin);
+ rules.add(aIndex, aRule);
+ }
+
+ /*
+ * (non-Javadoc)
+ *
+ * @see
+ * org.wamblee.security.authorization.AuthorizationService#removeRule(int)
+ */
+ public void removeRule(int aIndex) {
+ rules.remove(aIndex);
+ }
+
+ /**
+ * For OR mapping.
+ *
+ * @return The rules.
+ */
+ protected List<AuthorizationRule> getMappedRules() {
+ return rules;
+ }
+
+ /**
+ * For OR mapping.
+ *
+ * @param aRules
+ * The rules.
+ */
+ protected void setMappedRules(List<AuthorizationRule> aRules) {
+ rules = aRules;
+ for (AuthorizationRule rule : rules) {
+ rule.setUserAdministration(userAdmin);
+ }
+ }
+}
git://wamblee.org / utils / blobdiff