|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object org.springframework.security.acls.domain.AclImpl
public class AclImpl
Base implementation of Acl
.
Constructor Summary | |
---|---|
AclImpl(ObjectIdentity objectIdentity,
Serializable id,
AclAuthorizationStrategy aclAuthorizationStrategy,
AuditLogger auditLogger)
Minimal constructor, which should be used MutableAclService.createAcl(ObjectIdentity) . |
|
AclImpl(ObjectIdentity objectIdentity,
Serializable id,
AclAuthorizationStrategy aclAuthorizationStrategy,
AuditLogger auditLogger,
Acl parentAcl,
List<Sid> loadedSids,
boolean entriesInheriting,
Sid owner)
Full constructor, which should be used by persistence tools that do not provide field-level access features. |
Method Summary | |
---|---|
void |
deleteAce(int aceIndex)
|
boolean |
equals(Object obj)
|
List<AccessControlEntry> |
getEntries()
Returns all of the entries represented by the present Acl. |
Serializable |
getId()
Obtains an identifier that represents this MutableAcl. |
ObjectIdentity |
getObjectIdentity()
Obtains the domain object this Acl provides entries for. |
Sid |
getOwner()
Determines the owner of the Acl. |
Acl |
getParentAcl()
A domain object may have a parent for the purpose of ACL inheritance. |
void |
insertAce(int atIndexLocation,
Permission permission,
Sid sid,
boolean granting)
|
boolean |
isEntriesInheriting()
Indicates whether the ACL entries from the Acl.getParentAcl() should flow down into the current
Acl. |
boolean |
isGranted(List<Permission> permission,
List<Sid> sids,
boolean administrativeMode)
Determines authorization. |
boolean |
isSidLoaded(List<Sid> sids)
For efficiency reasons an Acl may be loaded and not contain entries for every Sid in the system. |
void |
setEntriesInheriting(boolean entriesInheriting)
Change the value returned by Acl.isEntriesInheriting() . |
void |
setOwner(Sid newOwner)
Changes the present owner to a different owner. |
void |
setParent(Acl newParent)
Changes the parent of this ACL. |
String |
toString()
|
void |
updateAce(int aceIndex,
Permission permission)
|
void |
updateAuditing(int aceIndex,
boolean auditSuccess,
boolean auditFailure)
|
Methods inherited from class java.lang.Object |
---|
clone, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait |
Constructor Detail |
---|
public AclImpl(ObjectIdentity objectIdentity, Serializable id, AclAuthorizationStrategy aclAuthorizationStrategy, AuditLogger auditLogger)
MutableAclService.createAcl(ObjectIdentity)
.
objectIdentity
- the object identity this ACL relates to (required)id
- the primary key assigned to this ACL (required)aclAuthorizationStrategy
- authorization strategy (required)auditLogger
- audit logger (required)public AclImpl(ObjectIdentity objectIdentity, Serializable id, AclAuthorizationStrategy aclAuthorizationStrategy, AuditLogger auditLogger, Acl parentAcl, List<Sid> loadedSids, boolean entriesInheriting, Sid owner)
objectIdentity
- the object identity this ACL relates to (required)id
- the primary key assigned to this ACL (required)aclAuthorizationStrategy
- authorization strategy (required)auditLogger
- audit logger (required)parentAcl
- the parent (may be null
)loadedSids
- the loaded SIDs if only a subset were loaded (may be
null
)entriesInheriting
- if ACEs from the parent should inherit into
this ACLowner
- the owner (required)Method Detail |
---|
public void deleteAce(int aceIndex) throws NotFoundException
deleteAce
in interface MutableAcl
NotFoundException
public void insertAce(int atIndexLocation, Permission permission, Sid sid, boolean granting) throws NotFoundException
insertAce
in interface MutableAcl
NotFoundException
public List<AccessControlEntry> getEntries()
Acl
This method is typically used for administrative purposes.
The order that entries appear in the array is important for methods declared in the
MutableAcl
interface. Furthermore, some implementations MAY use ordering as
part of advanced permission checking.
Do NOT use this method for making authorization decisions. Instead use Acl.isGranted(List, List, boolean)
.
This method must operate correctly even if the Acl only represents a subset of Sids. The caller is responsible for correctly handling the result if only a subset of Sids is represented.
getEntries
in interface Acl
public Serializable getId()
MutableAcl
getId
in interface MutableAcl
public ObjectIdentity getObjectIdentity()
Acl
getObjectIdentity
in interface Acl
public boolean isEntriesInheriting()
Acl
Acl.getParentAcl()
should flow down into the current
Acl.The mere link between an Acl and a parent Acl on its own is insufficient to cause ACL entries to inherit down. This is because a domain object may wish to have entirely independent entries, but maintain the link with the parent for navigation purposes. Thus, this method denotes whether or not the navigation relationship also extends to the actual inheritance of entries.
isEntriesInheriting
in interface Acl
public boolean isGranted(List<Permission> permission, List<Sid> sids, boolean administrativeMode) throws NotFoundException, UnloadedSidException
permission
and sid
arguments is
extremely important! The method will iterate through each of the permission
s in the order
specified. For each iteration, all of the sid
s will be considered, again in the order they are
presented. A search will then be performed for the first AccessControlEntry
object that directly
matches that permission:sid
combination. When the first full match is found (ie an ACE
that has the SID currently being searched for and the exact permission bit mask being search for), the grant or
deny flag for that ACE will prevail. If the ACE specifies to grant access, the method will return
true
. If the ACE specifies to deny access, the loop will stop and the next permission
iteration will be performed. If each permission indicates to deny access, the first deny ACE found will be
considered the reason for the failure (as it was the first match found, and is therefore the one most logically
requiring changes - although not always). If absolutely no matching ACE was found at all for any permission,
the parent ACL will be tried (provided that there is a parent and isEntriesInheriting()
is
true
. The parent ACL will also scan its parent and so on. If ultimately no matching ACE is found,
a NotFoundException
will be thrown and the caller will need to decide how to handle the permission
check. Similarly, if any of the SID arguments presented to the method were not loaded by the ACL,
UnloadedSidException
will be thrown.
isGranted
in interface Acl
permission
- the exact permissions to scan for (order is important)sids
- the exact SIDs to scan for (order is important)administrativeMode
- if true
denotes the query is for administrative purposes and no auditing
will be undertaken
true
if one of the permissions has been granted, false
if one of the
permissions has been specifically revoked
NotFoundException
- if an exact ACE for one of the permission bit masks and SID combination could not be
found
UnloadedSidException
- if the passed SIDs are unknown to this ACL because the ACL was only loaded for a
subset of SIDspublic boolean isSidLoaded(List<Sid> sids)
Acl
It is normal to load an Acl for only particular Sids if read-only authorization decisions are being made. However, if user interface reporting or modification of Acls are desired, an Acl should be loaded with all Sids. This method denotes whether or not the specified Sids have been loaded or not.
isSidLoaded
in interface Acl
sids
- one or more security identities the caller is interest in knowing whether this Sid
supports
public void setEntriesInheriting(boolean entriesInheriting)
MutableAcl
Acl.isEntriesInheriting()
.
setEntriesInheriting
in interface MutableAcl
entriesInheriting
- the new valuepublic void setOwner(Sid newOwner)
MutableAcl
setOwner
in interface MutableAcl
setOwner
in interface OwnershipAcl
newOwner
- the new owner (mandatory; cannot be null)public Sid getOwner()
Acl
getOwner
in interface Acl
public void setParent(Acl newParent)
MutableAcl
setParent
in interface MutableAcl
newParent
- the new parentpublic Acl getParentAcl()
Acl
This method solely represents the presence of a navigation hierarchy between the parent Acl and this
Acl. For actual inheritance to take place, the Acl.isEntriesInheriting()
must also be
true.
This method must operate correctly even if the Acl only represents a subset of Sids. The caller is responsible for correctly handling the result if only a subset of Sids is represented.
getParentAcl
in interface Acl
public String toString()
toString
in class Object
public void updateAce(int aceIndex, Permission permission) throws NotFoundException
updateAce
in interface MutableAcl
NotFoundException
public void updateAuditing(int aceIndex, boolean auditSuccess, boolean auditFailure)
updateAuditing
in interface AuditableAcl
public boolean equals(Object obj)
equals
in class Object
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |