org.springframework.security.acls.domain
Class AclImpl

java.lang.Object
  org.springframework.security.acls.domain.AclImpl

All Implemented Interfaces:

Serializable, Acl, AuditableAcl, MutableAcl, OwnershipAcl

public class AclImpl
extends Object
implements Acl, MutableAcl, AuditableAcl, OwnershipAcl

Base implementation of Acl.

See Also:

Serialized Form

Constructor Summary

AclImpl(ObjectIdentity objectIdentity, Serializable id, AclAuthorizationStrategy aclAuthorizationStrategy, AuditLogger auditLogger)
Minimal constructor, which should be used MutableAclService.createAcl(ObjectIdentity).

AclImpl(ObjectIdentity objectIdentity, Serializable id, AclAuthorizationStrategy aclAuthorizationStrategy, AuditLogger auditLogger, Acl parentAcl, List<Sid> loadedSids, boolean entriesInheriting, Sid owner)
Deprecated. Use the version which takes a PermissionGrantingStrategy argument instead.

AclImpl(ObjectIdentity objectIdentity, Serializable id, AclAuthorizationStrategy aclAuthorizationStrategy, PermissionGrantingStrategy grantingStrategy, Acl parentAcl, List<Sid> loadedSids, boolean entriesInheriting, Sid owner)
Full constructor, which should be used by persistence tools that do not provide field-level access features.

Method Summary

void	deleteAce(int aceIndex)
boolean	equals(Object obj)
List<AccessControlEntry>	getEntries() Returns all of the entries represented by the present Acl.
Serializable	getId() Obtains an identifier that represents this MutableAcl.
ObjectIdentity	getObjectIdentity() Obtains the domain object this Acl provides entries for.
Sid	getOwner() Determines the owner of the Acl.
Acl	getParentAcl() A domain object may have a parent for the purpose of ACL inheritance.
void	insertAce(int atIndexLocation, Permission permission, Sid sid, boolean granting)
boolean	isEntriesInheriting() Indicates whether the ACL entries from the Acl.getParentAcl() should flow down into the current Acl.
boolean	isGranted(List<Permission> permission, List<Sid> sids, boolean administrativeMode) Delegates to the PermissionGrantingStrategy.
boolean	isSidLoaded(List<Sid> sids) For efficiency reasons an Acl may be loaded and not contain entries for every Sid in the system.
void	setEntriesInheriting(boolean entriesInheriting) Change the value returned by Acl.isEntriesInheriting().
void	setOwner(Sid newOwner) Changes the present owner to a different owner.
void	setParent(Acl newParent) Changes the parent of this ACL.
String	toString()
void	updateAce(int aceIndex, Permission permission)
void	updateAuditing(int aceIndex, boolean auditSuccess, boolean auditFailure)

Methods inherited from class java.lang.Object

clone, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Constructor Detail

AclImpl

public AclImpl(ObjectIdentity objectIdentity,
               Serializable id,
               AclAuthorizationStrategy aclAuthorizationStrategy,
               AuditLogger auditLogger)

Minimal constructor, which should be used MutableAclService.createAcl(ObjectIdentity).

Parameters:

objectIdentity - the object identity this ACL relates to (required)

id - the primary key assigned to this ACL (required)

aclAuthorizationStrategy - authorization strategy (required)

auditLogger - audit logger (required)

AclImpl

@Deprecated
public AclImpl(ObjectIdentity objectIdentity,
                          Serializable id,
                          AclAuthorizationStrategy aclAuthorizationStrategy,
                          AuditLogger auditLogger,
                          Acl parentAcl,
                          List<Sid> loadedSids,
                          boolean entriesInheriting,
                          Sid owner)

Deprecated. Use the version which takes a PermissionGrantingStrategy argument instead.

AclImpl

public AclImpl(ObjectIdentity objectIdentity,
               Serializable id,
               AclAuthorizationStrategy aclAuthorizationStrategy,
               PermissionGrantingStrategy grantingStrategy,
               Acl parentAcl,
               List<Sid> loadedSids,
               boolean entriesInheriting,
               Sid owner)

Full constructor, which should be used by persistence tools that do not provide field-level access features.

Parameters:

objectIdentity - the object identity this ACL relates to

id - the primary key assigned to this ACL

aclAuthorizationStrategy - authorization strategy

grantingStrategy - the PermissionGrantingStrategy which will be used by the isGranted() method

parentAcl - the parent (may be may be null)

loadedSids - the loaded SIDs if only a subset were loaded (may be null)

entriesInheriting - if ACEs from the parent should inherit into this ACL

owner - the owner (required)

Method Detail

deleteAce

public void deleteAce(int aceIndex)
               throws NotFoundException

Specified by:

deleteAce in interface MutableAcl

Throws:

NotFoundException

insertAce

public void insertAce(int atIndexLocation,
                      Permission permission,
                      Sid sid,
                      boolean granting)
               throws NotFoundException

Specified by:

insertAce in interface MutableAcl

Throws:

NotFoundException

getEntries

public List<AccessControlEntry> getEntries()

Description copied from interface: Acl

Returns all of the entries represented by the present Acl. Entries associated with the Acl parents are not returned.

This method is typically used for administrative purposes.

The order that entries appear in the array is important for methods declared in the MutableAcl interface. Furthermore, some implementations MAY use ordering as part of advanced permission checking.

Do NOT use this method for making authorization decisions. Instead use Acl.isGranted(List, List, boolean).

This method must operate correctly even if the Acl only represents a subset of Sids. The caller is responsible for correctly handling the result if only a subset of Sids is represented.

Specified by:

getEntries in interface Acl

Returns:

the list of entries represented by the Acl, or null if there are no entries presently associated with this Acl.

getId

public Serializable getId()

Description copied from interface: MutableAcl

Obtains an identifier that represents this MutableAcl.

Specified by:

getId in interface MutableAcl

Returns:

the identifier, or null if unsaved

getObjectIdentity

public ObjectIdentity getObjectIdentity()

Description copied from interface: Acl

Obtains the domain object this Acl provides entries for. This is immutable once an Acl is created.

Specified by:

getObjectIdentity in interface Acl

Returns:

the object identity (never null)

isEntriesInheriting

public boolean isEntriesInheriting()

Description copied from interface: Acl

Indicates whether the ACL entries from the Acl.getParentAcl() should flow down into the current Acl.

The mere link between an Acl and a parent Acl on its own is insufficient to cause ACL entries to inherit down. This is because a domain object may wish to have entirely independent entries, but maintain the link with the parent for navigation purposes. Thus, this method denotes whether or not the navigation relationship also extends to the actual inheritance of entries.

Specified by:

isEntriesInheriting in interface Acl

Returns:

true if parent ACL entries inherit into the current Acl

isGranted

public boolean isGranted(List<Permission> permission,
                         List<Sid> sids,
                         boolean administrativeMode)
                  throws NotFoundException,
                         UnloadedSidException

Delegates to the PermissionGrantingStrategy.

Specified by:

isGranted in interface Acl

Parameters:

permission - the permission or permissions required (at least one entry required)

sids - the security identities held by the principal (at least one entry required)

administrativeMode - if true denotes the query is for administrative purposes and no logging or auditing (if supported by the implementation) should be undertaken

Returns:

true if authorization is granted

Throws:

UnloadedSidException - if the passed SIDs are unknown to this ACL because the ACL was only loaded for a subset of SIDs

NotFoundException - MUST be thrown if an implementation cannot make an authoritative authorization decision, usually because there is no ACL information for this particular permission and/or SID

See Also:

DefaultPermissionGrantingStrategy

isSidLoaded

public boolean isSidLoaded(List<Sid> sids)

Description copied from interface: Acl

For efficiency reasons an Acl may be loaded and not contain entries for every Sid in the system. If an Acl has been loaded and does not represent every Sid, all methods of the Acl can only be used within the limited scope of the Sid instances it actually represents.

It is normal to load an Acl for only particular Sids if read-only authorization decisions are being made. However, if user interface reporting or modification of Acls are desired, an Acl should be loaded with all Sids. This method denotes whether or not the specified Sids have been loaded or not.

Specified by:

isSidLoaded in interface Acl

Parameters:

sids - one or more security identities the caller is interest in knowing whether this Sid supports

Returns:

true if every passed Sid is represented by this Acl instance

setEntriesInheriting

public void setEntriesInheriting(boolean entriesInheriting)

Description copied from interface: MutableAcl

Change the value returned by Acl.isEntriesInheriting().

Specified by:

setEntriesInheriting in interface MutableAcl

Parameters:

entriesInheriting - the new value

setOwner

public void setOwner(Sid newOwner)

Description copied from interface: MutableAcl

Changes the present owner to a different owner.

Specified by:

setOwner in interface MutableAcl

Specified by:

setOwner in interface OwnershipAcl

Parameters:

newOwner - the new owner (mandatory; cannot be null)

getOwner

public Sid getOwner()

Description copied from interface: Acl

Determines the owner of the Acl. The meaning of ownership varies by implementation and is unspecified.

Specified by:

getOwner in interface Acl

Returns:

the owner (may be null if the implementation does not use ownership concepts)

setParent

public void setParent(Acl newParent)

Description copied from interface: MutableAcl

Changes the parent of this ACL.

Specified by:

setParent in interface MutableAcl

Parameters:

newParent - the new parent

getParentAcl

public Acl getParentAcl()

Description copied from interface: Acl

A domain object may have a parent for the purpose of ACL inheritance. If there is a parent, its ACL can be accessed via this method. In turn, the parent's parent (grandparent) can be accessed and so on.

This method solely represents the presence of a navigation hierarchy between the parent Acl and this Acl. For actual inheritance to take place, the Acl.isEntriesInheriting() must also be true.

This method must operate correctly even if the Acl only represents a subset of Sids. The caller is responsible for correctly handling the result if only a subset of Sids is represented.

Specified by:

getParentAcl in interface Acl

Returns:

the parent Acl (may be null if this Acl does not have a parent)

updateAce

public void updateAce(int aceIndex,
                      Permission permission)
               throws NotFoundException

Specified by:

updateAce in interface MutableAcl

Throws:

NotFoundException

updateAuditing

public void updateAuditing(int aceIndex,
                           boolean auditSuccess,
                           boolean auditFailure)

Specified by:

updateAuditing in interface AuditableAcl

equals

public boolean equals(Object obj)

Overrides:

equals in class Object

toString

public String toString()

Overrides:

toString in class Object