[jboss-cvs] JBossAS SVN: r101693 - projects/security/security-jboss-sx/branches/Branch_2_0/acl/src/main/java/org/jboss/security/acl.

jboss-cvs-commits at lists.jboss.org jboss-cvs-commits at lists.jboss.org
Mon Mar 1 21:04:20 EST 2010 

Author: sguilhen at redhat.com
Date: 2010-03-01 21:04:20 -0500 (Mon, 01 Mar 2010)
New Revision: 101693

Modified:
   projects/security/security-jboss-sx/branches/Branch_2_0/acl/src/main/java/org/jboss/security/acl/ACLProviderImpl.java
Log:
SECURITY-460: ACLProviderImpl.isAccessGranted now recursively checks the parent resource ACL when there is no ACL associated with a specific resource. This behavior is enabled by setting the checkParentACL property to true.

Modified: projects/security/security-jboss-sx/branches/Branch_2_0/acl/src/main/java/org/jboss/security/acl/ACLProviderImpl.java
===================================================================
--- projects/security/security-jboss-sx/branches/Branch_2_0/acl/src/main/java/org/jboss/security/acl/ACLProviderImpl.java	2010-03-02 01:58:54 UTC (rev 101692)
+++ projects/security/security-jboss-sx/branches/Branch_2_0/acl/src/main/java/org/jboss/security/acl/ACLProviderImpl.java	2010-03-02 02:04:20 UTC (rev 101693)
@@ -48,9 +48,13 @@
 
    private static final String PERSISTENCE_STRATEGY_OPTION = "persistenceStrategy";
 
+   private static final String CHECK_PARENT_ACL_OPTION = "checkParentACL";
+   
    /** persistence strategy used to retrieve the ACLs */
    protected ACLPersistenceStrategy strategy;
 
+   private boolean checkParentACL;
+   
    /*
     * (non-Javadoc)
     * 
@@ -62,6 +66,8 @@
       if (strategyClassName == null)
          strategyClassName = "org.jboss.security.acl.JPAPersistenceStrategy";
 
+      this.checkParentACL = Boolean.valueOf((String) options.get(CHECK_PARENT_ACL_OPTION)); 
+         
       try
       {
          Class<?> strategyClass = this.loadClass(strategyClassName);
@@ -228,26 +234,53 @@
    public boolean isAccessGranted(Resource resource, Identity identity, ACLPermission permission)
          throws AuthorizationException
    {
-      if (this.strategy != null)
+      ACL acl = this.retrieveACL(resource);
+      if (acl != null)
       {
-         ACL acl = strategy.getACL(resource);
-         if (acl != null)
+         ACLEntry entry = acl.getEntry(identity);
+         if (entry != null)
          {
-            ACLEntry entry = acl.getEntry(identity);
-            if (entry != null)
-            {
-               // check the permission associated with the identity.
-               return entry.checkPermission(permission);
-            }
-            // no entry for identity = deny access
-            return false;
+            // check the permission associated with the identity.
+            return entry.checkPermission(permission);
          }
-         else
-            throw new AuthorizationException("Unable to locate an ACL for the resource " + resource);
+         // no entry for identity = deny access
+         return false;
       }
-      throw new AuthorizationException("Unable to retrieve ACL: persistece strategy not set");
+      else
+         throw new AuthorizationException("Unable to locate an ACL for the resource " + resource);
    }
 
+   /**
+    * <p>
+    * Retrieves the ACL that is to be used to perform authorization decisions on the specified resource. If an ACL
+    * for the specified resource can be located by the strategy, this will be the returned ACL. On the other hand,
+    * if no ACL can be located for the resource then the method verifies if the {@code checkParentACL} property has
+    * been set:
+    * <ol>
+    *   <li>if {@code checkParentACL} is true, then check if the resource has a parent resource and try to locate an
+    *   ACL for the parent resource recursively. The idea here is that child resources "inherit" the permissions from
+    *   the parent resources (instead of providing an ACL that would be a copy of the parent ACL).</li>
+    *   <li>if {@code checkParentACL} is false, then {@code null} is returned.</li>
+    * </ol>
+    * 
+    * </p>
+    * 
+    * @param resource the {@code Resource} that is the target of the authorization decision.
+    * @return the {@code ACL} that is to be used to perform authorization decisions on the resource; {@code null} if
+    * no ACL can be found for the specified resource.
+    */
+   private ACL retrieveACL(Resource resource)
+   {
+      ACL acl = this.strategy.getACL(resource);
+      if (acl == null && this.checkParentACL)
+      {
+         Resource parent = (Resource) resource.getMap().get(ResourceKeys.PARENT_RESOURCE);
+         if (parent != null)
+            acl = retrieveACL(parent);
+      }
+      return acl;
+   }
+   
    /*
     * (non-Javadoc)
     *

More information about the jboss-cvs-commits mailing list