2 * Copyright 2005-2010 the original author or authors.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
16 package org.wamblee.security.authorization;
18 import org.apache.log4j.Logger;
20 import org.wamblee.persistence.AbstractPersistent;
21 import static org.wamblee.security.authorization.AuthorizationResult.DENIED;
22 import static org.wamblee.security.authorization.AuthorizationResult.GRANTED;
23 import static org.wamblee.security.authorization.AuthorizationResult.UNDECIDED;
24 import static org.wamblee.security.authorization.AuthorizationResult.UNSUPPORTED_RESOURCE;
26 import org.wamblee.usermgt.User;
29 * Utility base class for implementation of authentication rules based on the
31 * <li>The path of the resource. To obtain the path of a resource, subclasses
32 * must implement {@link #getResourcePath(Object)}. Whether a path is
33 * appropriate is determined by a
34 * {@link org.wamblee.security.authorization.PathCondition}.</li>
35 * <li>The user identity with which the resource is accessed. Whether a user is
36 * appropriate is determined by a
37 * {@link org.wamblee.security.authorization.UserCondition}.</li>
38 * <li>The operation that is requested. Whether the operation is appropriate is
39 * determined by a {@link org.wamblee.security.authorization.OperationCondition}
42 * In case all three conditions match, the condition returns the configured
43 * result passed at construction (GRANTED or DENIED). If the resource is not of
44 * the specified type, the result is UNSUPPORTED_RESOURCE, otherwise, the result
47 public abstract class UrlAuthorizationRule extends AbstractPersistent implements
49 private static final Logger LOGGER = Logger
50 .getLogger(UrlAuthorizationRule.class);
53 * Result that the rule will return in case there is a match.
55 private AuthorizationResult result;
58 * A condition which specifies which users the rule is for.
60 private UserCondition userCondition;
63 * Path the rule applies for.
65 private PathCondition pathCondition;
68 * Resource class that the rule applies for.
70 private Class resourceClass;
73 * Operation that this rule is for.
75 private OperationCondition operationCondition;
78 * Constructs an authorization rule. IF the group and path match, then the
79 * provided result will be returned.
82 * Result of the authorization when the path and group match.
83 * @param aUserCondition
84 * Condition to match users.
85 * @param aPathCondition
86 * Condition to match paths with.
87 * @param aResourceClass
88 * Supported resource class this is for.
89 * @param aOperationCondition
90 * Condition to match the operation with.
92 protected UrlAuthorizationRule(AuthorizationResult aResult,
93 UserCondition aUserCondition, PathCondition aPathCondition,
94 Class aResourceClass, OperationCondition aOperationCondition) {
95 if (!aResult.equals(GRANTED) && !aResult.equals(DENIED)) {
96 throw new IllegalArgumentException(
97 "Only GRANTED or DENIED may be used: " + aResult);
101 userCondition = aUserCondition;
102 pathCondition = aPathCondition;
103 resourceClass = aResourceClass;
104 operationCondition = aOperationCondition;
111 protected UrlAuthorizationRule(Class aResourceClass) {
113 userCondition = null;
114 pathCondition = null;
115 resourceClass = aResourceClass;
116 operationCondition = null;
123 protected UrlAuthorizationRule() {
125 userCondition = null;
126 pathCondition = null;
127 resourceClass = null;
128 operationCondition = null;
135 * org.wamblee.security.authorization.AuthorizationRule#getSupportedTypes()
137 public Class[] getSupportedTypes() {
138 return new Class[] { resourceClass };
145 * org.wamblee.security.authorization.AuthorizationRule#isAllowed(java.lang
146 * .Object, org.wamblee.security.authorization.Operation)
148 public AuthorizationResult isAllowed(Object aResource,
149 Operation aOperation, User aUser) {
150 if (!resourceClass.isInstance(aResource)) {
151 return UNSUPPORTED_RESOURCE;
154 String path = getResourcePath(aResource);
156 return isAllowed(path, aOperation, aUser);
160 * Determines if the operation is allowed on the resource.
163 * Path of the resource.
165 * Operation to be done.
167 * Currently logged in user or null if no user is logged in.
169 * @return Authorization result,
171 protected AuthorizationResult isAllowed(String aPath, Operation aOperation,
173 if (!pathCondition.matches(aPath)) {
177 if (!operationCondition.matches(aOperation)) {
181 if (!userCondition.matches(aUser)) {
189 * Gets the path of the resource.
192 * Resource, guaranteed to be an instance of
193 * {@link #resourceClass}.
195 * @return Path of the resource.
197 protected abstract String getResourcePath(Object aResource);
202 * @see java.lang.Object#toString()
205 public String toString() {
206 return "UrlAUthorizationRule(result = " + result +
207 ", pathCondition = " + pathCondition + ", userCondition = " +
208 userCondition + ", resourceClass = " + resourceClass + ")";
212 * Gets the authorization result for OR mapping.
216 protected String getAuthorizationResultString() {
217 if (result == null) {
221 return result.toString();
225 * Sets the authorization result, for OR mapping.
230 protected void setAuthorizationResultString(String aResult) {
231 result = AuthorizationResult.valueOf(aResult);
234 protected String getResourceClassName() {
235 if (resourceClass == null) {
239 return resourceClass.getName();
242 protected void setResourceClassName(String aResourceClass) {
244 resourceClass = Class.forName(aResourceClass);
245 } catch (ClassNotFoundException e) {
246 LOGGER.error("Cannot find resource class '" + aResourceClass + "'",
248 throw new IllegalArgumentException(e.getMessage(), e);
254 * @return Returns the operationCondition.
256 public OperationCondition getOperationCondition() {
257 return operationCondition;
262 * @param aOperationCondition
263 * The operationCondition to set.
265 protected void setOperationCondition(OperationCondition aOperationCondition) {
266 operationCondition = aOperationCondition;
271 * @return Returns the pathCondition.
273 public PathCondition getPathCondition() {
274 return pathCondition;
279 * @param aPathCondition
280 * The pathCondition to set.
282 protected void setPathCondition(PathCondition aPathCondition) {
283 pathCondition = aPathCondition;
288 * @return Returns the userCondition.
290 public UserCondition getUserCondition() {
291 return userCondition;
296 * @param aUserCondition
297 * The userCondition to set.
299 protected void setUserCondition(UserCondition aUserCondition) {
300 userCondition = aUserCondition;