2 * Copyright 2005-2010 the original author or authors.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
16 package org.wamblee.security.authorization;
18 import static org.wamblee.security.authorization.AuthorizationResult.*;
20 import javax.persistence.Access;
21 import javax.persistence.AccessType;
22 import javax.persistence.CascadeType;
23 import javax.persistence.Column;
24 import javax.persistence.Entity;
25 import javax.persistence.JoinColumn;
26 import javax.persistence.OneToOne;
27 import javax.persistence.Transient;
29 import org.apache.log4j.Logger;
30 import org.wamblee.security.authentication.UserAdministration;
33 * Utility base class for implementation of authentication rules based on the
35 * <li>The path of the resource. To obtain the path of a resource, subclasses
36 * must implement {@link #getResourcePath(Object)}. Whether a path is
37 * appropriate is determined by a
38 * {@link org.wamblee.security.authorization.AbstractPathCondition}.</li>
39 * <li>The user identity with which the resource is accessed. Whether a user is
40 * appropriate is determined by a
41 * {@link org.wamblee.security.authorization.AbstractUserCondition}.</li>
42 * <li>The operation that is requested. Whether the operation is appropriate is
43 * determined by a {@link org.wamblee.security.authorization.AbstractOperationCondition}
46 * In case all three conditions match, the condition returns the configured
47 * result passed at construction (GRANTED or DENIED). If the resource is not of
48 * the specified type, the result is UNSUPPORTED_RESOURCE, otherwise, the result
52 @Access(AccessType.PROPERTY)
53 public abstract class UrlAuthorizationRule extends AbstractAuthorizationRule {
54 private static final Logger LOGGER = Logger
55 .getLogger(UrlAuthorizationRule.class);
58 * Result that the rule will return in case there is a match.
60 private AuthorizationResult result;
63 * A condition which specifies which users the rule is for.
65 private UserCondition userCondition;
68 * Path the rule applies for.
70 private PathCondition pathCondition;
73 * Resource class that the rule applies for.
75 private Class resourceClass;
78 * Operation that this rule is for.
81 private OperationCondition operationCondition;
84 * Constructs an authorization rule. IF the group and path match, then the
85 * provided result will be returned.
88 * Result of the authorization when the path and group match.
89 * @param aUserCondition
90 * Condition to match users.
91 * @param aPathCondition
92 * Condition to match paths with.
93 * @param aResourceClass
94 * Supported resource class this is for.
95 * @param aOperationCondition
96 * Condition to match the operation with.
98 protected UrlAuthorizationRule(AuthorizationResult aResult,
99 UserCondition aUserCondition, PathCondition aPathCondition,
100 Class aResourceClass, OperationCondition aOperationCondition) {
101 if (!aResult.equals(GRANTED) && !aResult.equals(DENIED)) {
102 throw new IllegalArgumentException(
103 "Only GRANTED or DENIED may be used: " + aResult);
107 userCondition = aUserCondition;
108 pathCondition = aPathCondition;
109 resourceClass = aResourceClass;
110 operationCondition = aOperationCondition;
117 protected UrlAuthorizationRule(Class aResourceClass) {
119 userCondition = null;
120 pathCondition = null;
121 resourceClass = aResourceClass;
122 operationCondition = null;
129 protected UrlAuthorizationRule() {
131 userCondition = null;
132 pathCondition = null;
133 resourceClass = null;
134 operationCondition = null;
141 * org.wamblee.security.authorization.AuthorizationRule#getSupportedTypes()
144 public Class[] getSupportedTypes() {
145 return new Class[] { resourceClass };
152 * org.wamblee.security.authorization.AuthorizationRule#isAllowed(java.lang
153 * .Object, org.wamblee.security.authorization.Operation)
155 public AuthorizationResult isAllowed(Object aResource,
156 Operation aOperation, String aUser) {
157 if (!resourceClass.isInstance(aResource)) {
158 return UNSUPPORTED_RESOURCE;
161 String path = getResourcePath(aResource);
163 return isAllowedWithPath(path, aOperation, aUser);
167 * Determines if the operation is allowed on the resource.
170 * Path of the resource.
172 * Operation to be done.
174 * Currently logged in user or null if no user is logged in.
176 * @return Authorization result,
178 protected AuthorizationResult isAllowedWithPath(String aPath, Operation aOperation,
180 if (!pathCondition.matches(aPath)) {
184 if (!operationCondition.matches(aOperation)) {
188 if (!userCondition.matches(aUser)) {
196 * Gets the path of the resource.
199 * Resource, guaranteed to be an instance of
200 * {@link #resourceClass}.
202 * @return Path of the resource.
204 protected abstract String getResourcePath(Object aResource);
209 * @see java.lang.Object#toString()
212 public String toString() {
213 return "UrlAUthorizationRule(result = " + result +
214 ", pathCondition = " + pathCondition + ", userCondition = " +
215 userCondition + ", resourceClass = " + resourceClass + ")";
219 * Gets the authorization result for OR mapping.
223 @Column(name = "AUTH_RESULT", nullable = false)
224 protected String getAuthorizationResultString() {
225 if (result == null) {
229 return result.toString();
233 * Sets the authorization result, for OR mapping.
238 protected void setAuthorizationResultString(String aResult) {
239 result = AuthorizationResult.valueOf(aResult);
242 @Column(name = "RES_CLASSNAME", nullable = false)
243 protected String getResourceClassName() {
244 if (resourceClass == null) {
248 return resourceClass.getName();
251 protected void setResourceClassName(String aResourceClass) {
253 resourceClass = Class.forName(aResourceClass);
254 } catch (ClassNotFoundException e) {
255 LOGGER.error("Cannot find resource class '" + aResourceClass + "'",
257 throw new IllegalArgumentException(e.getMessage(), e);
263 * @return Returns the operationCondition.
265 @OneToOne(cascade = CascadeType.ALL, targetEntity = AbstractOperationCondition.class, orphanRemoval = true)
266 @JoinColumn(name = "OPER_COND_PK")
267 public OperationCondition getOperationCondition() {
268 return operationCondition;
273 * @param aOperationCondition
274 * The operationCondition to set.
276 protected void setOperationCondition(OperationCondition aOperationCondition) {
277 operationCondition = aOperationCondition;
282 * @return Returns the pathCondition.
284 @OneToOne(cascade = CascadeType.ALL, targetEntity = AbstractPathCondition.class, orphanRemoval = true)
285 @JoinColumn(name = "PATH_COND_PK")
286 public PathCondition getPathCondition() {
287 return pathCondition;
292 * @param aPathCondition
293 * The pathCondition to set.
295 protected void setPathCondition(PathCondition aPathCondition) {
296 pathCondition = aPathCondition;
301 * @return Returns the userCondition.
303 @OneToOne(cascade = CascadeType.ALL, targetEntity = AbstractUserCondition.class, orphanRemoval = true)
304 @JoinColumn(name = "USER_COND_PK")
305 public UserCondition getUserCondition() {
306 return userCondition;
311 * @param aUserCondition
312 * The userCondition to set.
314 protected void setUserCondition(UserCondition aUserCondition) {
315 userCondition = aUserCondition;
319 public void setUserAdministration(UserAdministration aAdmin) {
320 userCondition.setUserAdmin(aAdmin);