public class DefaultPermissionGrantingStrategy extends Object implements PermissionGrantingStrategy
Constructor and Description |
---|
DefaultPermissionGrantingStrategy(AuditLogger auditLogger)
Creates an instance with the logger which will be used to record granting and denial of requested permissions.
|
public DefaultPermissionGrantingStrategy(AuditLogger auditLogger)
public boolean isGranted(Acl acl, List<Permission> permission, List<Sid> sids, boolean administrativeMode) throws NotFoundException
permission
and sid
arguments is
extremely important! The method will iterate through each of the permission
s in the order
specified. For each iteration, all of the sid
s will be considered, again in the order they are
presented. A search will then be performed for the first AccessControlEntry
object that directly
matches that permission:sid
combination. When the first full match is found (ie an ACE
that has the SID currently being searched for and the exact permission bit mask being search for), the grant or
deny flag for that ACE will prevail. If the ACE specifies to grant access, the method will return
true
. If the ACE specifies to deny access, the loop will stop and the next permission
iteration will be performed. If each permission indicates to deny access, the first deny ACE found will be
considered the reason for the failure (as it was the first match found, and is therefore the one most logically
requiring changes - although not always). If absolutely no matching ACE was found at all for any permission,
the parent ACL will be tried (provided that there is a parent and Acl.isEntriesInheriting()
is
true
. The parent ACL will also scan its parent and so on. If ultimately no matching ACE is found,
a NotFoundException
will be thrown and the caller will need to decide how to handle the permission
check. Similarly, if any of the SID arguments presented to the method were not loaded by the ACL,
UnloadedSidException
will be thrown.isGranted
in interface PermissionGrantingStrategy
permission
- the exact permissions to scan for (order is important)sids
- the exact SIDs to scan for (order is important)administrativeMode
- if true
denotes the query is for administrative purposes and no auditing
will be undertakentrue
if one of the permissions has been granted, false
if one of the
permissions has been specifically revokedNotFoundException
- if an exact ACE for one of the permission bit masks and SID combination could not be
found