X-Git-Url: http://wamblee.org/gitweb/?a=blobdiff_plain;f=security%2Fusermgt%2Fsrc%2Fmain%2Fjava%2Forg%2Fwamblee%2Fsecurity%2Fauthorization%2FDefaultAuthorizationService.java;fp=security%2Fusermgt%2Fsrc%2Fmain%2Fjava%2Forg%2Fwamblee%2Fsecurity%2Fauthorization%2FDefaultAuthorizationService.java;h=a142712e395b999198fcd89d08ec065b2c64c221;hb=9449ea0f360f6e9c14057db57f3ee0bfba947ab4;hp=0000000000000000000000000000000000000000;hpb=e8b988e92306a4aea2f047af1b48588147288831;p=utils diff --git a/security/usermgt/src/main/java/org/wamblee/security/authorization/DefaultAuthorizationService.java b/security/usermgt/src/main/java/org/wamblee/security/authorization/DefaultAuthorizationService.java new file mode 100644 index 00000000..a142712e --- /dev/null +++ b/security/usermgt/src/main/java/org/wamblee/security/authorization/DefaultAuthorizationService.java @@ -0,0 +1,205 @@ +/* + * Copyright 2005-2010 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.wamblee.security.authorization; + +import java.util.ArrayList; +import java.util.List; + +import javax.persistence.CascadeType; +import javax.persistence.DiscriminatorValue; +import javax.persistence.Entity; +import javax.persistence.JoinColumn; +import javax.persistence.JoinTable; +import javax.persistence.OneToMany; +import javax.persistence.OrderColumn; +import javax.persistence.Transient; + +import org.wamblee.security.authentication.UserAccessor; +import org.wamblee.security.authentication.UserAdministration; + +/** + * Default implementation of an authorization service. To determine whether + * access to a resource is allowed, the service consults a number of + * authorization rules in a fixed order. The first rule that gives a result + * GRANTED or DENIED determines the result of the evaluation. Rules that return + * any other result are ignoed. If none of the rules match, than access is + * denied. + * + * @author Erik Brakkee + */ +@Entity +@DiscriminatorValue("DEFAULT") +public class DefaultAuthorizationService extends AbstractAuthorizationService { + + /** + * List of ordered authorization rules. + */ + @OneToMany(cascade = CascadeType.ALL, orphanRemoval = true, targetEntity = AbstractAuthorizationRule.class) + @JoinTable(name = "SEC_AUTH_SVC_RULE", joinColumns = { @JoinColumn(name = "SVC_ID") }, inverseJoinColumns = { @JoinColumn(name = "RULE_ID") }) + @OrderColumn(name = "RULE_INDEX") + private List rules; + + /** + * User accessor used to obtain the current user. + */ + @Transient + private UserAccessor userAccessor; + + @Transient + private UserAdministration userAdmin; + + /** + * Constructs the service. + * + * @param aAccessor + * User accessor. + * @param aUserAdmin + * User administration. + * @param aName + * Name of this instance of the service. + */ + public DefaultAuthorizationService(UserAccessor aAccessor, + UserAdministration aUserAdmin, String aName) { + super(aName); + rules = new ArrayList(); + userAccessor = aAccessor; + userAdmin = aUserAdmin; + } + + /** + * Constructs the authorization service. + */ + public DefaultAuthorizationService() { + rules = new ArrayList(); + userAccessor = null; + userAdmin = null; + } + + @Override + public void setUserAccessor(UserAccessor aUserAccessor) { + userAccessor = aUserAccessor; + } + + @Override + public void setUserAdministration(UserAdministration aUserAdmin) { + userAdmin = aUserAdmin; + for (AuthorizationRule rule : rules) { + rule.setUserAdministration(userAdmin); + } + } + + /* + * (non-Javadoc) + * + * @see + * org.wamblee.security.authorization.AuthorizationService#isAllowed(java + * .lang.Object, org.wamblee.security.authorization.Operation) + */ + public boolean isAllowed(Object aResource, Operation aOperation) { + String user = userAccessor.getCurrentUser(); + + for (AuthorizationRule rule : rules) { + switch (rule.isAllowed(aResource, aOperation, user)) { + case DENIED: + return false; + + case GRANTED: + return true; + } + } + + return false; + } + + /* + * (non-Javadoc) + * + * @see org.wamblee.security.authorization.AuthorizationService#check(T, + * org.wamblee.security.authorization.Operation) + */ + public T check(T aResource, Operation aOperation) { + if (!isAllowed(aResource, aOperation)) { + throw new AuthorizationException(aResource, aOperation); + } + + return aResource; + } + + /* + * (non-Javadoc) + * + * @see org.wamblee.security.authorization.AuthorizationService#getRules() + */ + public AuthorizationRule[] getRules() { + return rules.toArray(new AbstractAuthorizationRule[0]); + } + + /* + * (non-Javadoc) + * + * @see + * org.wamblee.security.authorization.AuthorizationService#appendRule(org + * .wamblee.security.authorization.AuthorizationRule) + */ + public void appendRule(AuthorizationRule aRule) { + aRule.setUserAdministration(userAdmin); + rules.add(aRule); + } + + /* + * (non-Javadoc) + * + * @see + * org.wamblee.security.authorization.AuthorizationService#insertRuleAfter + * (int, org.wamblee.security.authorization.AuthorizationRule) + */ + public void insertRuleAfter(int aIndex, AuthorizationRule aRule) { + aRule.setUserAdministration(userAdmin); + rules.add(aIndex, aRule); + } + + /* + * (non-Javadoc) + * + * @see + * org.wamblee.security.authorization.AuthorizationService#removeRule(int) + */ + public void removeRule(int aIndex) { + rules.remove(aIndex); + } + + /** + * For OR mapping. + * + * @return The rules. + */ + protected List getMappedRules() { + return rules; + } + + /** + * For OR mapping. + * + * @param aRules + * The rules. + */ + protected void setMappedRules(List aRules) { + rules = aRules; + for (AuthorizationRule rule : rules) { + rule.setUserAdministration(userAdmin); + } + } +}