--- /dev/null
+/*
+ * Copyright 2005-2010 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.wamblee.security.authorization;
+
+import javax.persistence.DiscriminatorColumn;
+import javax.persistence.Entity;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Inheritance;
+import javax.persistence.InheritanceType;
+import javax.persistence.Table;
+import javax.persistence.Version;
+
+import org.wamblee.usermgt.User;
+
+/**
+ * Represents an authorization rule to determine whether an operation is allowed
+ * on a resource.
+ *
+ * @author Erik Brakkee
+ */
+@Entity
+@Table(name = "SEC_AUTH_RULE")
+@Inheritance(strategy = InheritanceType.SINGLE_TABLE)
+@DiscriminatorColumn(name = "TYPE")
+public abstract class AbstractAuthorizationRule implements AuthorizationRule {
+
+ @Id
+ @GeneratedValue(strategy = GenerationType.AUTO)
+ private Long primaryKey;
+
+ @Version
+ private int version;
+
+ public AbstractAuthorizationRule() {
+ // Empty
+ }
+
+ public AbstractAuthorizationRule(AbstractAuthorizationRule aRule) {
+ primaryKey = aRule.primaryKey;
+ version = aRule.version;
+ }
+}
--- /dev/null
+/*
+ * Copyright 2005-2010 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.wamblee.security.authorization;
+
+import javax.persistence.DiscriminatorColumn;
+import javax.persistence.Entity;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Inheritance;
+import javax.persistence.InheritanceType;
+import javax.persistence.NamedQueries;
+import javax.persistence.NamedQuery;
+import javax.persistence.Table;
+import javax.persistence.Version;
+
+import org.wamblee.usermgt.UserAccessor;
+
+/**
+ * Service to determine if access to a certain resource is allowed.
+ *
+ * @author Erik Brakkee
+ */
+@Entity
+@Table(name = "SEC_AUTH_SVC")
+@Inheritance(strategy = InheritanceType.SINGLE_TABLE)
+@DiscriminatorColumn(name = "TYPE")
+@NamedQueries(
+ @NamedQuery(name = AbstractAuthorizationService.QUERY_FIND_BY_NAME,
+ query = "select s from AbstractAuthorizationService s where s.name = :" +
+ AbstractAuthorizationService.NAME_PARAM)
+ )
+public abstract class AbstractAuthorizationService implements AuthorizationService {
+
+ public static final String QUERY_FIND_BY_NAME = "AuthorizationService.findByName";
+ public static final String NAME_PARAM = "name";
+
+ @Id
+ @GeneratedValue(strategy = GenerationType.AUTO)
+ private Long primaryKey;
+
+ @Version
+ private int version;
+
+ public AbstractAuthorizationService() {
+ // Empty.
+ }
+
+ public AbstractAuthorizationService(AbstractAuthorizationService aSvc) {
+ primaryKey = aSvc.primaryKey;
+ version = aSvc.version;
+ }
+}
--- /dev/null
+/*
+ * Copyright 2005-2010 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.wamblee.security.authorization;
+
+import javax.persistence.DiscriminatorColumn;
+import javax.persistence.Entity;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Inheritance;
+import javax.persistence.InheritanceType;
+import javax.persistence.Table;
+import javax.persistence.Version;
+
+/**
+ * Checks if an operation matches a condition.
+ *
+ * @author Erik Brakkee
+ */
+@Entity
+@Table(name = "SEC_OPERATION_CONDITION")
+@Inheritance(strategy = InheritanceType.SINGLE_TABLE)
+@DiscriminatorColumn(name = "TYPE")
+public abstract class AbstractOperationCondition implements OperationCondition {
+
+ @Id
+ @GeneratedValue(strategy = GenerationType.AUTO)
+ private Long primaryKey;
+
+ @Version
+ private int version;
+
+ public AbstractOperationCondition() {
+ // Empty
+ }
+
+ public AbstractOperationCondition(AbstractOperationCondition aCondition) {
+ primaryKey = aCondition.primaryKey;
+ version = aCondition.version;
+ }
+}
--- /dev/null
+/*
+ * Copyright 2005-2010 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.wamblee.security.authorization;
+
+import javax.persistence.DiscriminatorColumn;
+import javax.persistence.Entity;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Inheritance;
+import javax.persistence.InheritanceType;
+import javax.persistence.Table;
+import javax.persistence.Version;
+
+/**
+ * Checks if a path satisfies a condition.
+ *
+ * @author Erik Brakkee
+ */
+@Entity
+@Table(name = "SEC_PATH_CONDITION")
+@Inheritance(strategy = InheritanceType.SINGLE_TABLE)
+@DiscriminatorColumn(name = "TYPE")
+public abstract class AbstractPathCondition implements PathCondition {
+
+ @Id
+ @GeneratedValue(strategy = GenerationType.AUTO)
+ private Long primaryKey;
+
+ @Version
+ private int version;
+
+ public AbstractPathCondition() {
+ // Empty
+ }
+
+ public AbstractPathCondition(AbstractPathCondition aCondition) {
+ primaryKey = aCondition.primaryKey;
+ version = aCondition.version;
+ }
+}
--- /dev/null
+/*
+ * Copyright 2005-2010 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.wamblee.security.authorization;
+
+import javax.persistence.DiscriminatorColumn;
+import javax.persistence.Entity;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Inheritance;
+import javax.persistence.InheritanceType;
+import javax.persistence.Table;
+import javax.persistence.Version;
+
+import org.wamblee.usermgt.User;
+
+/**
+ * Condition used to match a user against a specified set of users.
+ *
+ * @author Erik Brakkee
+ */
+@Entity
+@Table(name = "SEC_USER_CONDITION")
+@Inheritance(strategy = InheritanceType.SINGLE_TABLE)
+@DiscriminatorColumn(name = "TYPE")
+public abstract class AbstractUserCondition implements UserCondition {
+
+ @Id
+ @GeneratedValue(strategy = GenerationType.AUTO)
+ private Long primaryKey;
+
+ @Version
+ private int version;
+
+ public AbstractUserCondition() {
+ // Empty.
+ }
+
+ public AbstractUserCondition(AbstractUserCondition aCondition) {
+ primaryKey = aCondition.primaryKey;
+ version = aCondition.version;
+ }
+}
*/
@Entity
@DiscriminatorValue("ANYUSER")
-public class AnyUserCondition extends UserCondition {
+public class AnyUserCondition extends AbstractUserCondition {
/**
* Constructs the condition.
*
* Default rules for initialization.
*/
public AuthorizationInitializer(AuthorizationService aService,
- AuthorizationRule[] aRules) {
+ AbstractAuthorizationRule[] aRules) {
if (aService.getRules().length == 0) {
- for (AuthorizationRule rule : aRules) {
+ for (AbstractAuthorizationRule rule : aRules) {
LOGGER.info("Appending authorization rule " + rule);
aService.appendRule(rule);
}
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- */
+ */
package org.wamblee.security.authorization;
-import javax.persistence.DiscriminatorColumn;
-import javax.persistence.Entity;
-import javax.persistence.GeneratedValue;
-import javax.persistence.GenerationType;
-import javax.persistence.Id;
-import javax.persistence.Inheritance;
-import javax.persistence.InheritanceType;
-import javax.persistence.Table;
-import javax.persistence.Version;
-
import org.wamblee.usermgt.User;
/**
*
* @author Erik Brakkee
*/
-@Entity
-@Table(name = "SEC_AUTH_RULE")
-@Inheritance(strategy = InheritanceType.SINGLE_TABLE)
-@DiscriminatorColumn(name = "TYPE")
-public abstract class AuthorizationRule {
-
- @Id
- @GeneratedValue(strategy = GenerationType.AUTO)
- private Long primaryKey;
+public interface AuthorizationRule {
- @Version
- private int version;
-
- public AuthorizationRule() {
- // Empty
- }
-
- public AuthorizationRule(AuthorizationRule aRule) {
- primaryKey = aRule.primaryKey;
- version = aRule.version;
- }
-
/**
* Returns the supported object types for which this authorization rule
* applies. This can be used by the authorization service for optimization.
*
* @return Authorization result.
*/
- public abstract AuthorizationResult isAllowed(Object aResource, Operation aOperation,
- User aUser);
-}
+ public abstract AuthorizationResult isAllowed(Object aResource,
+ Operation aOperation, User aUser);
+
+}
\ No newline at end of file
*/
package org.wamblee.security.authorization;
-import javax.persistence.DiscriminatorColumn;
-import javax.persistence.Entity;
-import javax.persistence.GeneratedValue;
-import javax.persistence.GenerationType;
-import javax.persistence.Id;
-import javax.persistence.Inheritance;
-import javax.persistence.InheritanceType;
-import javax.persistence.NamedQueries;
-import javax.persistence.NamedQuery;
-import javax.persistence.Table;
-import javax.persistence.Version;
-
import org.wamblee.usermgt.UserAccessor;
/**
*
* @author Erik Brakkee
*/
-@Entity
-@Table(name = "SEC_AUTH_SVC")
-@Inheritance(strategy = InheritanceType.SINGLE_TABLE)
-@DiscriminatorColumn(name = "TYPE")
-@NamedQueries(
- @NamedQuery(name = AuthorizationService.QUERY_FIND_BY_NAME,
- query = "select s from AuthorizationService s where s.name = :" +
- AuthorizationService.NAME_PARAM)
- )
-public abstract class AuthorizationService {
-
- public static final String QUERY_FIND_BY_NAME = "AuthorizationService.findByName";
- public static final String NAME_PARAM = "name";
-
- @Id
- @GeneratedValue(strategy = GenerationType.AUTO)
- private Long primaryKey;
+public interface AuthorizationService {
- @Version
- private int version;
-
- public AuthorizationService() {
- // Empty.
- }
-
- public AuthorizationService(AuthorizationService aSvc) {
- primaryKey = aSvc.primaryKey;
- version = aSvc.version;
- }
-
/**
* Checks whether an operation is allowed on a resource.
*
*
* @return Checks whether the operation is allowed on a resource.
*/
- public abstract boolean isAllowed(Object aResource, Operation aOperation);
+ boolean isAllowed(Object aResource, Operation aOperation);
- public abstract <T> T check(T aResource, Operation aOperation);
+ /**
+ * Checks if the given operation is allowed on the resource.
+ * @param <T> Type of resource
+ * @param aResource Resource.
+ * @param aOperation Operation.
+ * @return Resource passed in in case access is allowed
+ * @throws AuthorizationException In case access is denied.
+ */
+ <T> T check(T aResource, Operation aOperation);
/**
* Gets the authorization rules.
*
* @return Rules.
*/
- public abstract AuthorizationRule[] getRules();
+ AuthorizationRule[] getRules();
/**
* Appends a new authorization rule to the end.
* @param aRule
* Rule to append.
*/
- public abstract void appendRule(AuthorizationRule aRule);
+ void appendRule(AuthorizationRule aRule);
/**
* Removes a rule.
* @param aIndex
* Index of the rule to remove.
*/
- public abstract void removeRule(int aIndex);
+ void removeRule(int aIndex);
/**
* Inserts a rule.
* @param aRule
* Rule to insert.
*/
- public abstract void insertRuleAfter(int aIndex, AuthorizationRule aRule);
+ void insertRuleAfter(int aIndex, AuthorizationRule aRule);
/**
- * Sets the user accessor so that the authorization service can get access to the logged in
- * user.
- * @param aUserAccessor User accessor.
+ * Sets the user accessor so that the authorization service can get access
+ * to the logged in user.
+ *
+ * @param aUserAccessor
+ * User accessor.
*/
- public abstract void setUserAccessor(UserAccessor aUserAccessor);
-}
+ void setUserAccessor(UserAccessor aUserAccessor);
+
+}
\ No newline at end of file
import java.util.ArrayList;
import java.util.List;
+import javax.persistence.CascadeType;
import javax.persistence.DiscriminatorValue;
import javax.persistence.Entity;
+import javax.persistence.ManyToMany;
+import javax.persistence.OneToMany;
+import javax.persistence.OrderColumn;
+import javax.persistence.Transient;
import org.wamblee.usermgt.User;
import org.wamblee.usermgt.UserAccessor;
*/
@Entity
@DiscriminatorValue("DEFAULT")
-public class DefaultAuthorizationService extends AuthorizationService {
+public class DefaultAuthorizationService extends AbstractAuthorizationService {
/**
* List of ordered authorization rules.
*/
+ @OneToMany(cascade = CascadeType.ALL, orphanRemoval = true, targetEntity = AbstractAuthorizationRule.class)
+ @OrderColumn(name = "RULE_INDEX")
private List<AuthorizationRule> rules;
/**
* User accessor used to obtain the current user.
*/
+ @Transient
private UserAccessor userAccessor;
/**
* @see org.wamblee.security.authorization.AuthorizationService#getRules()
*/
public AuthorizationRule[] getRules() {
- return rules.toArray(new AuthorizationRule[0]);
+ return rules.toArray(new AbstractAuthorizationRule[0]);
}
/*
*/
@Entity
@DiscriminatorValue("GROUP")
-public class GroupUserCondition extends UserCondition {
+public class GroupUserCondition extends AbstractUserCondition {
/**
* Group the user must be in.
*/
@Entity
@DiscriminatorValue("ISA")
@Access(AccessType.PROPERTY)
-public class IsaOperationCondition extends OperationCondition {
+public class IsaOperationCondition extends AbstractOperationCondition {
/**
* Operation that the other operation must be a subclass of.
*/
*/
package org.wamblee.security.authorization;
-import javax.persistence.DiscriminatorColumn;
-import javax.persistence.Entity;
-import javax.persistence.GeneratedValue;
-import javax.persistence.GenerationType;
-import javax.persistence.Id;
-import javax.persistence.Inheritance;
-import javax.persistence.InheritanceType;
-import javax.persistence.Table;
-import javax.persistence.Version;
-
/**
* Checks if an operation matches a condition.
*
* @author Erik Brakkee
*/
-@Entity
-@Table(name = "SEC_OPERATION_CONDITION")
-@Inheritance(strategy = InheritanceType.SINGLE_TABLE)
-@DiscriminatorColumn(name = "TYPE")
-public abstract class OperationCondition {
-
- @Id
- @GeneratedValue(strategy = GenerationType.AUTO)
- private Long primaryKey;
+public interface OperationCondition {
- @Version
- private int version;
-
- public OperationCondition() {
- // Empty
- }
-
- public OperationCondition(OperationCondition aCondition) {
- primaryKey = aCondition.primaryKey;
- version = aCondition.version;
- }
-
/**
* Determines if the operation matches.
*
* @return True iff the operation matches.
*/
public abstract boolean matches(Operation aOperation);
-}
+
+}
\ No newline at end of file
*/
package org.wamblee.security.authorization;
-import javax.persistence.DiscriminatorColumn;
-import javax.persistence.Entity;
-import javax.persistence.GeneratedValue;
-import javax.persistence.GenerationType;
-import javax.persistence.Id;
-import javax.persistence.Inheritance;
-import javax.persistence.InheritanceType;
-import javax.persistence.Table;
-import javax.persistence.Version;
-
/**
* Checks if a path satisfies a condition.
*
* @author Erik Brakkee
*/
-@Entity
-@Table(name = "SEC_PATH_CONDITION")
-@Inheritance(strategy = InheritanceType.SINGLE_TABLE)
-@DiscriminatorColumn(name = "TYPE")
-public abstract class PathCondition {
-
- @Id
- @GeneratedValue(strategy = GenerationType.AUTO)
- private Long primaryKey;
+public interface PathCondition {
- @Version
- private int version;
-
- public PathCondition() {
- // Empty
- }
-
- public PathCondition(PathCondition aCondition) {
- primaryKey = aCondition.primaryKey;
- version = aCondition.version;
- }
-
/**
* Checks if the path matches the condition.
*
* @return True iff the path matches.
*/
public abstract boolean matches(String aPath);
-}
+
+}
\ No newline at end of file
*/
@Entity
@DiscriminatorValue("REGEXP")
-public class RegexpPathCondition extends PathCondition {
+public class RegexpPathCondition extends AbstractPathCondition {
/**
* String the path must start with.
*/
import static org.wamblee.security.authorization.AuthorizationResult.*;
+import javax.enterprise.inject.Typed;
import javax.persistence.Access;
import javax.persistence.AccessType;
import javax.persistence.CascadeType;
import javax.persistence.Column;
+import javax.persistence.DiscriminatorValue;
import javax.persistence.Entity;
import javax.persistence.JoinColumn;
import javax.persistence.ManyToOne;
* <li>The path of the resource. To obtain the path of a resource, subclasses
* must implement {@link #getResourcePath(Object)}. Whether a path is
* appropriate is determined by a
- * {@link org.wamblee.security.authorization.PathCondition}.</li>
+ * {@link org.wamblee.security.authorization.AbstractPathCondition}.</li>
* <li>The user identity with which the resource is accessed. Whether a user is
* appropriate is determined by a
- * {@link org.wamblee.security.authorization.UserCondition}.</li>
+ * {@link org.wamblee.security.authorization.AbstractUserCondition}.</li>
* <li>The operation that is requested. Whether the operation is appropriate is
- * determined by a {@link org.wamblee.security.authorization.OperationCondition}
+ * determined by a {@link org.wamblee.security.authorization.AbstractOperationCondition}
* .</li>
* </ul>
* In case all three conditions match, the condition returns the configured
*/
@Entity
@Access(AccessType.PROPERTY)
-public abstract class UrlAuthorizationRule extends AuthorizationRule {
+public abstract class UrlAuthorizationRule extends AbstractAuthorizationRule {
private static final Logger LOGGER = Logger
.getLogger(UrlAuthorizationRule.class);
/**
* Operation that this rule is for.
*/
+
private OperationCondition operationCondition;
/**
*
* @return Returns the operationCondition.
*/
- @ManyToOne(cascade = CascadeType.ALL)
+ @ManyToOne(cascade = CascadeType.ALL, targetEntity = AbstractOperationCondition.class)
@JoinColumn(name = "OPER_COND_PK")
public OperationCondition getOperationCondition() {
return operationCondition;
*
* @return Returns the pathCondition.
*/
- @ManyToOne(cascade = CascadeType.ALL)
+ @ManyToOne(cascade = CascadeType.ALL, targetEntity = AbstractPathCondition.class)
@JoinColumn(name = "PATH_COND_PK")
public PathCondition getPathCondition() {
return pathCondition;
*
* @return Returns the userCondition.
*/
- @ManyToOne(cascade = CascadeType.ALL)
+ @ManyToOne(cascade = CascadeType.ALL, targetEntity = AbstractUserCondition.class)
@JoinColumn(name = "USER_COND_PK")
public UserCondition getUserCondition() {
return userCondition;
*/
package org.wamblee.security.authorization;
-import javax.persistence.DiscriminatorColumn;
-import javax.persistence.Entity;
-import javax.persistence.GeneratedValue;
-import javax.persistence.GenerationType;
-import javax.persistence.Id;
-import javax.persistence.Inheritance;
-import javax.persistence.InheritanceType;
-import javax.persistence.Table;
-import javax.persistence.Version;
-
import org.wamblee.usermgt.User;
/**
*
* @author Erik Brakkee
*/
-@Entity
-@Table(name = "SEC_USER_CONDITION")
-@Inheritance(strategy = InheritanceType.SINGLE_TABLE)
-@DiscriminatorColumn(name = "TYPE")
-public abstract class UserCondition {
-
- @Id
- @GeneratedValue(strategy = GenerationType.AUTO)
- private Long primaryKey;
+public interface UserCondition {
- @Version
- private int version;
-
- public UserCondition() {
- // Empty.
- }
-
- public UserCondition(UserCondition aCondition) {
- primaryKey = aCondition.primaryKey;
- version = aCondition.version;
- }
-
/**
* Determines if the condition matches.
*
* @return True if the condition matches, false otherwise.
*/
public abstract boolean matches(User aUser);
-}
+
+}
\ No newline at end of file