SEC-1533: AclAuthorizationStrategyImpl can now take either one or three GrantedAuthority arguments. If only one is supplied, it will be used for all 3 of the permissions supported by the class.
This commit is contained in:
Luke Taylor
parent
acad848690
commit
1a838c2049
|
|
@ -52,16 +52,23 @@ public class AclAuthorizationStrategyImpl implements AclAuthorizationStrategy {
|
||||||
* Constructor. The only mandatory parameter relates to the system-wide {@link GrantedAuthority} instances that
|
* Constructor. The only mandatory parameter relates to the system-wide {@link GrantedAuthority} instances that
|
||||||
* can be held to always permit ACL changes.
|
* can be held to always permit ACL changes.
|
||||||
*
|
*
|
||||||
* @param auths an array of <code>GrantedAuthority</code>s that have
|
* @param auths the <code>GrantedAuthority</code>s that have
|
||||||
* special permissions (index 0 is the authority needed to change
|
* special permissions (index 0 is the authority needed to change
|
||||||
* ownership, index 1 is the authority needed to modify auditing details,
|
* ownership, index 1 is the authority needed to modify auditing details,
|
||||||
* index 2 is the authority needed to change other ACL and ACE details) (required)
|
* index 2 is the authority needed to change other ACL and ACE details) (required)
|
||||||
|
* <p>
|
||||||
|
* Alternatively, a single value can be supplied for all three permissions.
|
||||||
*/
|
*/
|
||||||
public AclAuthorizationStrategyImpl(GrantedAuthority[] auths) {
|
public AclAuthorizationStrategyImpl(GrantedAuthority... auths) {
|
||||||
Assert.isTrue(auths != null && auths.length == 3, "GrantedAuthority[] with three elements required");
|
Assert.isTrue(auths != null && (auths.length == 3 || auths.length == 1),
|
||||||
this.gaTakeOwnership = auths[0];
|
"One or three GrantedAuthority instances required");
|
||||||
this.gaModifyAuditing = auths[1];
|
if (auths.length == 3) {
|
||||||
this.gaGeneralChanges = auths[2];
|
gaTakeOwnership = auths[0];
|
||||||
|
gaModifyAuditing = auths[1];
|
||||||
|
gaGeneralChanges = auths[2];
|
||||||
|
} else {
|
||||||
|
gaTakeOwnership = gaModifyAuditing = gaGeneralChanges = auths[0];
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
//~ Methods ========================================================================================================
|
//~ Methods ========================================================================================================
|
||||||
|
|
|
||||||
|
|
@ -101,9 +101,7 @@ public class BasicLookupStrategyTests {
|
||||||
@Before
|
@Before
|
||||||
public void initializeBeans() {
|
public void initializeBeans() {
|
||||||
EhCacheBasedAclCache cache = new EhCacheBasedAclCache(getCache());
|
EhCacheBasedAclCache cache = new EhCacheBasedAclCache(getCache());
|
||||||
AclAuthorizationStrategy authorizationStrategy = new AclAuthorizationStrategyImpl(new GrantedAuthority[] {
|
AclAuthorizationStrategy authorizationStrategy = new AclAuthorizationStrategyImpl(new GrantedAuthorityImpl("ROLE_ADMINISTRATOR"));
|
||||||
new GrantedAuthorityImpl("ROLE_ADMINISTRATOR"), new GrantedAuthorityImpl("ROLE_ADMINISTRATOR"),
|
|
||||||
new GrantedAuthorityImpl("ROLE_ADMINISTRATOR") });
|
|
||||||
strategy = new BasicLookupStrategy(dataSource, cache, authorizationStrategy,
|
strategy = new BasicLookupStrategy(dataSource, cache, authorizationStrategy,
|
||||||
new DefaultPermissionGrantingStrategy(new ConsoleAuditLogger()));
|
new DefaultPermissionGrantingStrategy(new ConsoleAuditLogger()));
|
||||||
strategy.setPermissionFactory(new DefaultPermissionFactory());
|
strategy.setPermissionFactory(new DefaultPermissionFactory());
|
||||||
|
|
@ -194,16 +192,16 @@ public class BasicLookupStrategyTests {
|
||||||
|
|
||||||
// Check each entry
|
// Check each entry
|
||||||
Assert.assertTrue(topParent.isEntriesInheriting());
|
Assert.assertTrue(topParent.isEntriesInheriting());
|
||||||
Assert.assertEquals(topParent.getId(), new Long(1));
|
Assert.assertEquals(topParent.getId(), Long.valueOf(1));
|
||||||
Assert.assertEquals(topParent.getOwner(), new PrincipalSid("ben"));
|
Assert.assertEquals(topParent.getOwner(), new PrincipalSid("ben"));
|
||||||
Assert.assertEquals(topParent.getEntries().get(0).getId(), new Long(1));
|
Assert.assertEquals(topParent.getEntries().get(0).getId(), Long.valueOf(1));
|
||||||
Assert.assertEquals(topParent.getEntries().get(0).getPermission(), BasePermission.READ);
|
Assert.assertEquals(topParent.getEntries().get(0).getPermission(), BasePermission.READ);
|
||||||
Assert.assertEquals(topParent.getEntries().get(0).getSid(), new PrincipalSid("ben"));
|
Assert.assertEquals(topParent.getEntries().get(0).getSid(), new PrincipalSid("ben"));
|
||||||
Assert.assertFalse(((AuditableAccessControlEntry) topParent.getEntries().get(0)).isAuditFailure());
|
Assert.assertFalse(((AuditableAccessControlEntry) topParent.getEntries().get(0)).isAuditFailure());
|
||||||
Assert.assertFalse(((AuditableAccessControlEntry) topParent.getEntries().get(0)).isAuditSuccess());
|
Assert.assertFalse(((AuditableAccessControlEntry) topParent.getEntries().get(0)).isAuditSuccess());
|
||||||
Assert.assertTrue(((AuditableAccessControlEntry) topParent.getEntries().get(0)).isGranting());
|
Assert.assertTrue(((AuditableAccessControlEntry) topParent.getEntries().get(0)).isGranting());
|
||||||
|
|
||||||
Assert.assertEquals(topParent.getEntries().get(1).getId(), new Long(2));
|
Assert.assertEquals(topParent.getEntries().get(1).getId(), Long.valueOf(2));
|
||||||
Assert.assertEquals(topParent.getEntries().get(1).getPermission(), BasePermission.WRITE);
|
Assert.assertEquals(topParent.getEntries().get(1).getPermission(), BasePermission.WRITE);
|
||||||
Assert.assertEquals(topParent.getEntries().get(1).getSid(), new PrincipalSid("ben"));
|
Assert.assertEquals(topParent.getEntries().get(1).getSid(), new PrincipalSid("ben"));
|
||||||
Assert.assertFalse(((AuditableAccessControlEntry) topParent.getEntries().get(1)).isAuditFailure());
|
Assert.assertFalse(((AuditableAccessControlEntry) topParent.getEntries().get(1)).isAuditFailure());
|
||||||
|
|
@ -211,9 +209,9 @@ public class BasicLookupStrategyTests {
|
||||||
Assert.assertFalse(((AuditableAccessControlEntry) topParent.getEntries().get(1)).isGranting());
|
Assert.assertFalse(((AuditableAccessControlEntry) topParent.getEntries().get(1)).isGranting());
|
||||||
|
|
||||||
Assert.assertTrue(middleParent.isEntriesInheriting());
|
Assert.assertTrue(middleParent.isEntriesInheriting());
|
||||||
Assert.assertEquals(middleParent.getId(), new Long(2));
|
Assert.assertEquals(middleParent.getId(), Long.valueOf(2));
|
||||||
Assert.assertEquals(middleParent.getOwner(), new PrincipalSid("ben"));
|
Assert.assertEquals(middleParent.getOwner(), new PrincipalSid("ben"));
|
||||||
Assert.assertEquals(middleParent.getEntries().get(0).getId(), new Long(3));
|
Assert.assertEquals(middleParent.getEntries().get(0).getId(), Long.valueOf(3));
|
||||||
Assert.assertEquals(middleParent.getEntries().get(0).getPermission(), BasePermission.DELETE);
|
Assert.assertEquals(middleParent.getEntries().get(0).getPermission(), BasePermission.DELETE);
|
||||||
Assert.assertEquals(middleParent.getEntries().get(0).getSid(), new PrincipalSid("ben"));
|
Assert.assertEquals(middleParent.getEntries().get(0).getSid(), new PrincipalSid("ben"));
|
||||||
Assert.assertFalse(((AuditableAccessControlEntry) middleParent.getEntries().get(0)).isAuditFailure());
|
Assert.assertFalse(((AuditableAccessControlEntry) middleParent.getEntries().get(0)).isAuditFailure());
|
||||||
|
|
@ -221,9 +219,9 @@ public class BasicLookupStrategyTests {
|
||||||
Assert.assertTrue(((AuditableAccessControlEntry) middleParent.getEntries().get(0)).isGranting());
|
Assert.assertTrue(((AuditableAccessControlEntry) middleParent.getEntries().get(0)).isGranting());
|
||||||
|
|
||||||
Assert.assertTrue(child.isEntriesInheriting());
|
Assert.assertTrue(child.isEntriesInheriting());
|
||||||
Assert.assertEquals(child.getId(), new Long(3));
|
Assert.assertEquals(child.getId(), Long.valueOf(3));
|
||||||
Assert.assertEquals(child.getOwner(), new PrincipalSid("ben"));
|
Assert.assertEquals(child.getOwner(), new PrincipalSid("ben"));
|
||||||
Assert.assertEquals(child.getEntries().get(0).getId(), new Long(4));
|
Assert.assertEquals(child.getEntries().get(0).getId(), Long.valueOf(4));
|
||||||
Assert.assertEquals(child.getEntries().get(0).getPermission(), BasePermission.DELETE);
|
Assert.assertEquals(child.getEntries().get(0).getPermission(), BasePermission.DELETE);
|
||||||
Assert.assertEquals(child.getEntries().get(0).getSid(), new PrincipalSid("ben"));
|
Assert.assertEquals(child.getEntries().get(0).getSid(), new PrincipalSid("ben"));
|
||||||
Assert.assertFalse(((AuditableAccessControlEntry) child.getEntries().get(0)).isAuditFailure());
|
Assert.assertFalse(((AuditableAccessControlEntry) child.getEntries().get(0)).isAuditFailure());
|
||||||
|
|
@ -236,10 +234,10 @@ public class BasicLookupStrategyTests {
|
||||||
String query = "INSERT INTO acl_object_identity(ID,OBJECT_ID_CLASS,OBJECT_ID_IDENTITY,PARENT_OBJECT,OWNER_SID,ENTRIES_INHERITING) VALUES (4,2,103,1,1,1);";
|
String query = "INSERT INTO acl_object_identity(ID,OBJECT_ID_CLASS,OBJECT_ID_IDENTITY,PARENT_OBJECT,OWNER_SID,ENTRIES_INHERITING) VALUES (4,2,103,1,1,1);";
|
||||||
jdbcTemplate.execute(query);
|
jdbcTemplate.execute(query);
|
||||||
|
|
||||||
ObjectIdentity topParentOid = new ObjectIdentityImpl(TARGET_CLASS, new Long(100));
|
ObjectIdentity topParentOid = new ObjectIdentityImpl(TARGET_CLASS, Long.valueOf(100));
|
||||||
ObjectIdentity middleParentOid = new ObjectIdentityImpl(TARGET_CLASS, new Integer(101));
|
ObjectIdentity middleParentOid = new ObjectIdentityImpl(TARGET_CLASS, Long.valueOf(101));
|
||||||
ObjectIdentity childOid = new ObjectIdentityImpl(TARGET_CLASS, new Long(102));
|
ObjectIdentity childOid = new ObjectIdentityImpl(TARGET_CLASS, Long.valueOf(102));
|
||||||
ObjectIdentity middleParent2Oid = new ObjectIdentityImpl(TARGET_CLASS, new Long(103));
|
ObjectIdentity middleParent2Oid = new ObjectIdentityImpl(TARGET_CLASS, Long.valueOf(103));
|
||||||
|
|
||||||
// Retrieve the child
|
// Retrieve the child
|
||||||
Map<ObjectIdentity, Acl> map = this.strategy.readAclsById(Arrays.asList(childOid), null);
|
Map<ObjectIdentity, Acl> map = this.strategy.readAclsById(Arrays.asList(childOid), null);
|
||||||
|
|
|
||||||
|
|
@ -30,17 +30,9 @@
|
||||||
<constructor-arg>
|
<constructor-arg>
|
||||||
<bean class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl">
|
<bean class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl">
|
||||||
<constructor-arg>
|
<constructor-arg>
|
||||||
<list>
|
|
||||||
<bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
|
<bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
|
||||||
<constructor-arg value="ROLE_ADMINISTRATOR"/>
|
<constructor-arg value="ROLE_ADMINISTRATOR"/>
|
||||||
</bean>
|
</bean>
|
||||||
<bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
|
|
||||||
<constructor-arg value="ROLE_ADMINISTRATOR"/>
|
|
||||||
</bean>
|
|
||||||
<bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
|
|
||||||
<constructor-arg value="ROLE_ADMINISTRATOR"/>
|
|
||||||
</bean>
|
|
||||||
</list>
|
|
||||||
</constructor-arg>
|
</constructor-arg>
|
||||||
</bean>
|
</bean>
|
||||||
</constructor-arg>
|
</constructor-arg>
|
||||||
|
|
|
||||||
|
|
@ -37,7 +37,7 @@ import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
|
||||||
*
|
*
|
||||||
* @author David Leal
|
* @author David Leal
|
||||||
* @author Ben Alex
|
* @author Ben Alex
|
||||||
* @Author Luke Taylor
|
* @author Luke Taylor
|
||||||
*/
|
*/
|
||||||
@ContextConfiguration(locations={
|
@ContextConfiguration(locations={
|
||||||
"/applicationContext-security.xml",
|
"/applicationContext-security.xml",
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue