[jboss-cvs] JBossAS SVN: r101692 - projects/security/security-jboss-sx/trunk/acl/src/main/java/org/jboss/security/acl.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Mon Mar 1 20:58:55 EST 2010
Author: sguilhen at redhat.com
Date: 2010-03-01 20:58:54 -0500 (Mon, 01 Mar 2010)
New Revision: 101692
Modified:
projects/security/security-jboss-sx/trunk/acl/src/main/java/org/jboss/security/acl/ACLProviderImpl.java
Log:
SECURITY-460: ACLProviderImpl.isAccessGranted now recursively checks the parent resource ACL when there is no ACL associated with a specific resource. This behavior is enabled by setting the checkParentACL property to true.
Modified: projects/security/security-jboss-sx/trunk/acl/src/main/java/org/jboss/security/acl/ACLProviderImpl.java
===================================================================
--- projects/security/security-jboss-sx/trunk/acl/src/main/java/org/jboss/security/acl/ACLProviderImpl.java 2010-03-02 00:58:04 UTC (rev 101691)
+++ projects/security/security-jboss-sx/trunk/acl/src/main/java/org/jboss/security/acl/ACLProviderImpl.java 2010-03-02 01:58:54 UTC (rev 101692)
@@ -48,9 +48,13 @@
private static final String PERSISTENCE_STRATEGY_OPTION = "persistenceStrategy";
+ private static final String CHECK_PARENT_ACL_OPTION = "checkParentACL";
+
/** persistence strategy used to retrieve the ACLs */
protected ACLPersistenceStrategy strategy;
+ private boolean checkParentACL;
+
/*
* (non-Javadoc)
*
@@ -62,6 +66,8 @@
if (strategyClassName == null)
strategyClassName = "org.jboss.security.acl.JPAPersistenceStrategy";
+ this.checkParentACL = Boolean.valueOf((String) options.get(CHECK_PARENT_ACL_OPTION));
+
try
{
Class<?> strategyClass = this.loadClass(strategyClassName);
@@ -228,26 +234,53 @@
public boolean isAccessGranted(Resource resource, Identity identity, ACLPermission permission)
throws AuthorizationException
{
- if (this.strategy != null)
+ ACL acl = this.retrieveACL(resource);
+ if (acl != null)
{
- ACL acl = strategy.getACL(resource);
- if (acl != null)
+ ACLEntry entry = acl.getEntry(identity);
+ if (entry != null)
{
- ACLEntry entry = acl.getEntry(identity);
- if (entry != null)
- {
- // check the permission associated with the identity.
- return entry.checkPermission(permission);
- }
- // no entry for identity = deny access
- return false;
+ // check the permission associated with the identity.
+ return entry.checkPermission(permission);
}
- else
- throw new AuthorizationException("Unable to locate an ACL for the resource " + resource);
+ // no entry for identity = deny access
+ return false;
}
- throw new AuthorizationException("Unable to retrieve ACL: persistece strategy not set");
+ else
+ throw new AuthorizationException("Unable to locate an ACL for the resource " + resource);
}
+ /**
+ * <p>
+ * Retrieves the ACL that is to be used to perform authorization decisions on the specified resource. If an ACL
+ * for the specified resource can be located by the strategy, this will be the returned ACL. On the other hand,
+ * if no ACL can be located for the resource then the method verifies if the {@code checkParentACL} property has
+ * been set:
+ * <ol>
+ * <li>if {@code checkParentACL} is true, then check if the resource has a parent resource and try to locate an
+ * ACL for the parent resource recursively. The idea here is that child resources "inherit" the permissions from
+ * the parent resources (instead of providing an ACL that would be a copy of the parent ACL).</li>
+ * <li>if {@code checkParentACL} is false, then {@code null} is returned.</li>
+ * </ol>
+ *
+ * </p>
+ *
+ * @param resource the {@code Resource} that is the target of the authorization decision.
+ * @return the {@code ACL} that is to be used to perform authorization decisions on the resource; {@code null} if
+ * no ACL can be found for the specified resource.
+ */
+ private ACL retrieveACL(Resource resource)
+ {
+ ACL acl = this.strategy.getACL(resource);
+ if (acl == null && this.checkParentACL)
+ {
+ Resource parent = (Resource) resource.getMap().get(ResourceKeys.PARENT_RESOURCE);
+ if (parent != null)
+ acl = retrieveACL(parent);
+ }
+ return acl;
+ }
+
/*
* (non-Javadoc)
*
More information about the jboss-cvs-commits
mailing list