2 * Copyright 2005-2010 the original author or authors.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
16 package org.wamblee.security.authorization;
18 import java.util.ArrayList;
19 import java.util.List;
21 import javax.persistence.CascadeType;
22 import javax.persistence.DiscriminatorValue;
23 import javax.persistence.Entity;
24 import javax.persistence.JoinColumn;
25 import javax.persistence.JoinTable;
26 import javax.persistence.OneToMany;
27 import javax.persistence.OrderColumn;
28 import javax.persistence.Transient;
30 import org.wamblee.security.authentication.UserAccessor;
31 import org.wamblee.security.authentication.UserAdministration;
34 * Default implementation of an authorization service. To determine whether
35 * access to a resource is allowed, the service consults a number of
36 * authorization rules in a fixed order. The first rule that gives a result
37 * GRANTED or DENIED determines the result of the evaluation. Rules that return
38 * any other result are ignoed. If none of the rules match, than access is
41 * @author Erik Brakkee
44 @DiscriminatorValue("DEFAULT")
45 public class DefaultAuthorizationService extends AbstractAuthorizationService {
48 * List of ordered authorization rules.
50 @OneToMany(cascade = CascadeType.ALL, orphanRemoval = true, targetEntity = AbstractAuthorizationRule.class)
51 @JoinTable(name = "SEC_AUTH_SVC_RULE", joinColumns = { @JoinColumn(name = "SVC_ID") }, inverseJoinColumns = { @JoinColumn(name = "RULE_ID") })
52 @OrderColumn(name = "RULE_INDEX")
53 private List<AuthorizationRule> rules;
56 * User accessor used to obtain the current user.
59 private UserAccessor userAccessor;
62 private UserAdministration userAdmin;
65 * Constructs the service.
70 * User administration.
72 * Name of this instance of the service.
74 public DefaultAuthorizationService(UserAccessor aAccessor,
75 UserAdministration aUserAdmin, String aName) {
77 rules = new ArrayList<AuthorizationRule>();
78 userAccessor = aAccessor;
79 userAdmin = aUserAdmin;
83 * Constructs the authorization service.
85 public DefaultAuthorizationService() {
86 rules = new ArrayList<AuthorizationRule>();
92 public void setUserAccessor(UserAccessor aUserAccessor) {
93 userAccessor = aUserAccessor;
97 public void setUserAdministration(UserAdministration aUserAdmin) {
98 userAdmin = aUserAdmin;
99 for (AuthorizationRule rule : rules) {
100 rule.setUserAdministration(userAdmin);
108 * org.wamblee.security.authorization.AuthorizationService#isAllowed(java
109 * .lang.Object, org.wamblee.security.authorization.Operation)
111 public boolean isAllowed(Object aResource, Operation aOperation) {
112 String user = userAccessor.getCurrentUser();
114 for (AuthorizationRule rule : rules) {
115 switch (rule.isAllowed(aResource, aOperation, user)) {
130 * @see org.wamblee.security.authorization.AuthorizationService#check(T,
131 * org.wamblee.security.authorization.Operation)
133 public <T> T check(T aResource, Operation aOperation) {
134 if (!isAllowed(aResource, aOperation)) {
135 throw new AuthorizationException(aResource, aOperation);
144 * @see org.wamblee.security.authorization.AuthorizationService#getRules()
146 public AuthorizationRule[] getRules() {
147 return rules.toArray(new AbstractAuthorizationRule[0]);
154 * org.wamblee.security.authorization.AuthorizationService#appendRule(org
155 * .wamblee.security.authorization.AuthorizationRule)
157 public void appendRule(AuthorizationRule aRule) {
158 aRule.setUserAdministration(userAdmin);
166 * org.wamblee.security.authorization.AuthorizationService#insertRuleAfter
167 * (int, org.wamblee.security.authorization.AuthorizationRule)
169 public void insertRuleAfter(int aIndex, AuthorizationRule aRule) {
170 aRule.setUserAdministration(userAdmin);
171 rules.add(aIndex, aRule);
178 * org.wamblee.security.authorization.AuthorizationService#removeRule(int)
180 public void removeRule(int aIndex) {
181 rules.remove(aIndex);
189 protected List<AuthorizationRule> getMappedRules() {
199 protected void setMappedRules(List<AuthorizationRule> aRules) {
201 for (AuthorizationRule rule : rules) {
202 rule.setUserAdministration(userAdmin);